CVE-2024-11667 Overview
A directory traversal vulnerability exists in the web management interface of multiple Zyxel firewall product lines. This vulnerability affects Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38. The flaw allows attackers to download or upload files via a crafted URL, potentially leading to complete system compromise.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can leverage this flaw to exfiltrate sensitive configuration data or upload malicious files to compromised Zyxel firewall appliances, potentially gaining persistent access to network perimeter defenses.
Affected Products
- Zyxel ATP Series (ATP100, ATP100W, ATP200, ATP500, ATP700, ATP800) - Firmware V5.00 through V5.38
- Zyxel USG FLEX Series (USG FLEX, USG FLEX 100, USG FLEX 100AX, USG FLEX 100W, USG FLEX 200, USG FLEX 500, USG FLEX 700) - Firmware V5.00 through V5.38
- Zyxel USG FLEX 50(W) Series and USG20(W)-VPN - Firmware V5.10 through V5.38
Discovery Timeline
- November 27, 2024 - CVE-2024-11667 published to NVD
- October 27, 2025 - Last updated in NVD database
Technical Details for CVE-2024-11667
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) resides in the web management interface of affected Zyxel firewall products. The vulnerability stems from improper validation of user-supplied input in URL parameters, allowing attackers to traverse directory structures outside the intended web root. By manipulating path elements in HTTP requests, an unauthenticated remote attacker can access arbitrary files on the filesystem or upload malicious content to sensitive locations.
The exploitation requires no authentication and can be performed remotely over the network, making this vulnerability particularly dangerous for internet-facing management interfaces. Successful exploitation grants attackers the ability to read sensitive configuration files containing credentials, VPN keys, and network topology information, or to upload malicious scripts and backdoors for persistent access.
Root Cause
The root cause is inadequate input sanitization in the web management interface's file handling routines. The application fails to properly neutralize special path elements such as ../ sequences in user-supplied URLs before using them to construct file system paths. This allows attackers to escape the intended directory context and access or modify files elsewhere on the system.
The affected firmware versions do not implement sufficient validation to detect and block directory traversal sequences, nor do they employ proper canonicalization of file paths before performing file operations.
Attack Vector
The attack is conducted remotely over the network by sending specially crafted HTTP requests to the web management interface. An attacker constructs a malicious URL containing directory traversal sequences (such as ../) to navigate outside the web root directory. This allows the attacker to:
- Download sensitive files: Access configuration files, credential stores, certificates, and other sensitive data stored on the device filesystem
- Upload malicious files: Place backdoors, web shells, or modified configuration files in critical system locations
- Establish persistence: Deploy persistent access mechanisms that survive device reboots
The attack requires no prior authentication, significantly lowering the barrier to exploitation. Organizations exposing their Zyxel firewall management interfaces to the internet are at immediate risk.
Detection Methods for CVE-2024-11667
Indicators of Compromise
- Unusual HTTP requests to the web management interface containing path traversal sequences such as ../, ..%2f, or URL-encoded variants
- Unexpected files appearing in system directories or modifications to configuration files
- Web server access logs showing requests with abnormally long URLs or repeated parent directory references
- Unauthorized changes to firewall rules, VPN configurations, or user accounts
Detection Strategies
- Monitor web server logs for HTTP requests containing directory traversal patterns targeting the management interface
- Implement network-based intrusion detection rules to alert on path traversal sequences in traffic destined for Zyxel management ports
- Deploy file integrity monitoring on critical Zyxel device directories to detect unauthorized modifications
- Review authentication logs for evidence of credential harvesting or unauthorized administrative access following potential exploitation
Monitoring Recommendations
- Enable comprehensive logging on Zyxel firewall management interfaces and forward logs to a centralized SIEM
- Configure alerting for any access attempts to the web management interface from untrusted IP addresses
- Implement baseline monitoring to detect anomalous file system activity or configuration changes on firewall appliances
- Regularly audit administrative access and review configuration changes for signs of compromise
How to Mitigate CVE-2024-11667
Immediate Actions Required
- Immediately update all affected Zyxel devices to firmware version V5.39 or later
- Restrict access to web management interfaces to trusted internal networks only using firewall rules or VPN requirements
- Audit firewall configurations and credentials for any signs of unauthorized access or modification
- Change all administrative passwords and regenerate VPN keys on potentially compromised devices
- Review system logs for indicators of exploitation and investigate any anomalies
Patch Information
Zyxel has released updated firmware to address this vulnerability. Organizations should upgrade to firmware version V5.39 or later on all affected devices. The Zyxel Security Advisory provides detailed guidance on obtaining and applying the security update. Given the active exploitation status documented in the CISA Known Exploited Vulnerabilities Catalog, patching should be treated as an emergency priority.
Workarounds
- Disable remote management access to affected devices until patches can be applied
- Implement strict IP allowlisting for management interface access, limiting connectivity to known administrator workstations
- Deploy a VPN or jump host requirement for all administrative access to firewall management interfaces
- Consider temporarily disconnecting management interfaces from the network if patching cannot be performed immediately
# Example: Restrict management interface access via ACL
# Add to device configuration to limit management access to trusted subnet
# Consult Zyxel documentation for device-specific syntax
# Verify current firmware version
show version
# Check management interface access settings
show management-interface
# Apply IP-based access restrictions for management
# Only allow access from trusted admin network (example: 10.0.1.0/24)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
