What is CVE-2024-11667?

A high-severity directory traversal vulnerability has been identified in Zyxel's firewall products. Organizations using affected firmware versions must prioritize patching to prevent potential exploitation.

What is the severity of CVE-2024-11667?

CVE-2024-11667 has a severity rating of HIGH with a CVSS base score of 7.5.

Is CVE-2024-11667 in CISA KEV?

Yes. CVE-2024-11667 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2024-11667 | High Vulnerability in Zyxel ZLD

A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

With a CVSS score of 7.5, this vulnerability is classified as high severity. The potential for exploitation poses significant risks to organizations, making it imperative to address this issue promptly.

Organizations using these versions of Zyxel firmware should prioritize patching immediately. This vulnerability allows attackers to execute unauthorized actions that could compromise sensitive data or lead to further system exploits.

According to the Known Exploited Vulnerabilities (KEV) catalog, this vulnerability is actively monitored, indicating potential risks in live environments. Organizations must ensure they stay updated on the latest threat intelligence and patch their systems accordingly.

Vulnerability Details

The vulnerability in Zyxel's firmware can be classified under CWE-22, which is a directory traversal issue. This flaw arises from improper validation of user-supplied input, which can be exploited to navigate through the file system and access restricted files.

As reported by the NVD, the highest CVSS score for this vulnerability is 9.8, indicating critical severity in certain configurations. The attack vector is network-based, with low complexity and no privileges or user interaction required for exploitation.

Technical Analysis

The root cause of this vulnerability lies in the web management interface's failure to properly sanitize input paths. Attackers can craft specific URLs that leverage this flaw to read or write files on the server.

Exploitation can occur remotely, with low complexity required to execute the attack. No special privileges are needed, nor is user interaction required, making it a straightforward attack vector for malicious actors.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive files, potential data leakage, and the possibility of further exploits if attackers gain foothold in the system. The impact can extend beyond individual systems, potentially affecting network integrity and compliance with regulatory standards.

Given the high CVSS score and the existence of known exploitation, organizations should assess their exposure and prioritize remediation in their patching cycle. The EPSS score indicates a 97% percentile for exploitation likelihood, highlighting the urgency of addressing this vulnerability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	Yes
Ransomware Use	Yes

Affected Versions

The affected versions include Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38. Organizations should ensure they are running the latest patched versions to mitigate this vulnerability.

Mitigation & Remediation

Organizations should apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. For detailed guidance, refer to the Zyxel security advisory published on November 27, 2024.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual file access attempts, especially those involving URL manipulation. Additionally, behavioral anomalies in network traffic patterns may indicate attempts to exploit this flaw.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability indicates a growing trend in file upload and download exploits. Security teams should not only patch this vulnerability but also reassess their overall security posture. Continuous monitoring and regular penetration testing are crucial for identifying and mitigating similar vulnerabilities in the future.

For comprehensive testing strategies, organizations can explore our red teaming services and learn more about how to enhance their defenses.

Organizations should also consider implementing a continuous penetration testing approach to stay ahead of evolving threats.

Finally, integrating insights from our vulnerability management program can further strengthen your organization's defenses against such vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2024-11667: High Vulnerability in Zyxel ZLD