Zyxel reports their firewalls being targeted in ransomware attacks
Take action: If you are running Zyxel firewalls, prioritize patching and reset all credentials. If you can't patch immediately, disable remote access where possible.
Learn More
Zyxel has issued a warning about active exploitation of a recently patched command injection vulnerability in their firewalls.
The vulnerability, tracked as CVE-2024-42057 (CVSS score 8.1), allows remote, unauthenticated attackers to execute operating system commands on vulnerable devices. This security flaw affects devices configured to use User-Based-PSK authentication and requires the presence of a valid user with a username exceeding 28 characters.
A second vulnerabilit also used in the attacks, tracked as CVE-2024-11667 (CVSS score 7.5) is a directory traversal flaw in the web management interface of Zyxel ZLD firewall firmware that enables attackers to upload or download files through specially crafted URLs.
The Helldown ransomware gang has been observed actively exploiting this vulnerability as an initial access vector into target organizations. According to cybersecurity firm Sekoia's investigation, the threat actors are creating SSL VPN tunnels using temporary usernames such as "SUPPORT87", "SUPPORT817", and "VPN". The attackers are also modifying security policies to expand their access to compromised devices and networks.
The group has been leveraging previously stolen credentials from past vulnerabilities that organizations failed to update. So keep up with patches.
The vulnerability affects multiple Zyxel firewall product lines:
- ATP series,
- USG FLEX series,
- USG FLEX 50(W)/USG20(W)-VPN series
- Devices running ZLD firmware versions 4.32 to 5.38 with remote management or SSL VPN enabled
In response, Zyxel has released firmware version 5.39 to patch the vulnerability across all affected devices. The company's EMEA team has been actively tracking the threat actors' activities and has observed increased targeting of Zyxel security appliances.
Zyxel strongly recommends that users immediately upgrade to the patched firmware. Additionally, the company advises users to update all administrator and user account passwords and temporarily disable remote access to vulnerable firewalls where possible.
