CVE-2024-11667

7.5

CVSS
High

PUBLISHED

A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series...

Exploited in the wild Used in malware Remote Low complexity No user interaction

Vendor: Zyxel
Product: ATP series firmware, USG FLEX series firmware, USG FLEX 50(W) series firmware, USG20(W)-VPN series firmware
Published: Nov 27, 2024
EPSS: —

Description

A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

cisa malware ransomware edge

CVSS scores

CVSS v3.1 7.5 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitation status

Exploited in the wild

Recorded 2024-12-03 00:00:00 UTC · Source

Used in malware

Recorded 2024-12-03 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: Yes
Technical impact: partial

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Dec 03, 2024

Vulnerability detail