Back to KEVs

CVE-2024-11667

A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series...

Basic Information

CVE State
PUBLISHED
Reserved Date
November 25, 2024
Published Date
November 27, 2024
Last Updated
December 06, 2024
Vendor
Zyxel
Product
ATP series firmware, USG FLEX series firmware, USG FLEX 50(W) series firmware, USG20(W)-VPN series firmware
Description
A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2024-12-03 00:00:00 UTC) Source
Used in Malware
Yes (added 2024-12-03 00:00:00 UTC) Source

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-12-03 00:00:00 UTC