← back
CVE-2024-11667

CVE-2024-11667

CVSS 7.5 HIGHEPSS 3.0%● KEVCWE-22
In short

A flaw in Zyxel firewall web interfaces lets attackers download or upload files by using specially crafted web addresses, potentially exposing sensitive data or injecting malicious files.

Technical detail

Directory traversal vulnerability in web management interface allowing unauthenticated or authenticated attackers to bypass path restrictions via crafted URLs to access arbitrary files on the system. Affects Zyxel ATP, USG FLEX, and USG20(W)-VPN devices running vulnerable firmware versions (V5.00-V5.38 or V5.10-V5.38 depending on model), enabling unauthorized file read/write operations.

Summary generated and translated by AI from the official description.
A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Zyxel · ATP series firmwareZyxel · USG20(W)-VPN series firmwareZyxel · USG FLEX 50(W) series firmwareZyxel · USG FLEX series firmware

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024