What happened

CISA added CVE-2024-11667 to the Known Exploited Vulnerabilities (KEV) catalog on 2024-12-03, signaling in-the-wild exploitation (CISA KEV entry) (CISA). The entry describes a path traversal in the Zyxel firewall web management interface that enables file download or upload via a crafted URL (CISA short description) (CISA). The vulnerability tracks to CWE-22 Directory Traversal in public records (CWE mapping) (NVD).

CISA set a remediation due date of 2024-12-24 for federal agencies, with required action to apply vendor mitigations or discontinue use if unavailable (CISA required action and due date) (CISA). The KEV entry also flags “Known” ransomware campaign use associated with this CVE (KEV ransomware note) (CISA). NVD and MITRE list the CVE and reference its directory traversal nature affecting multiple Zyxel firewalls (public CVE record) (NVD, MITRE).

Why it matters

A directory traversal in a firewall’s web management plane represents direct risk to system integrity, because it can expose or modify files the device relies on (Directory Traversal/CWE-22) (NVD). Here, the KEV description explicitly states attackers can download or upload files via crafted URLs, which can lead to unauthorized data access or changes to managed content (KEV short description) (CISA). Being on KEV means exploitation is observed, so defenders should assume active probing and opportunistic targeting are already underway (KEV inclusion = exploited) (CISA).

The “Known” ransomware campaign association elevates urgency: actors are operationalizing this bug for impact beyond reconnaissance (KEV ransomware note) (CISA). Because the vector is an HTTP request to the management interface, attacks can be automated and scaled quickly by commodity tooling once endpoints are identified (HTTP-management attack vector) (NVD).

Technical detail

The flaw is categorized under CWE-22 Directory Traversal, implying improper neutralization of path elements in request handling (CWE-22 classification) (NVD, MITRE). According to KEV, a crafted URL sent to the firewall’s web management interface can trigger traversal to access filesystem locations and download or upload files beyond intended access controls (crafted URL enables file ops) (CISA). This aligns with typical traversal mechanics where inadequate validation/normalization of path components lets an attacker redirect file operations to arbitrary locations (directory traversal mechanism) (NVD).

The affected product family is “Multiple Zyxel Firewalls,” as recorded in public vulnerability listings (affected products scope) (NVD, MITRE). CISA’s catalog entry marks this CVE as exploited and tied to ransomware activity, indicating real-world abuse patterns rather than theoretical risk (KEV exploitation signal) (CISA).

Defense

• Remediate per CISA’s directive: apply vendor mitigations immediately or discontinue use if fixes are unavailable (required action) (CISA).
• Treat the due date (2024-12-24) as a hard deadline for high-risk assets, especially where management interfaces could be reached by untrusted networks (KEV due date) (CISA).
• Validate exposure: confirm whether the web management interface is externally reachable and restrict it to trusted admin networks and strong authentication (management-plane exposure check) (NVD).
• Telemetry and detection: monitor for URL patterns indicative of directory traversal attempts against firewall management URIs and anomalous file transfer responses consistent with CWE-22 abuse (CWE-22 context) (MITRE).
• IR readiness: since KEV cites ransomware use, prepare for containment steps on devices showing suspicious file access or modification via the management plane (ransomware association) (CISA).

Lyrie Verdict

This is a straightforward, automatable web-management traversal. Adversaries will sweep and hit at machine speed once targets are enumerated (KEV exploitation context) (CISA). Lyrie’s autonomous sensors lock onto traversal-shaped request paths and response deltas in management-plane flows, correlating CWE-22 patterns with file-operation outcomes in real time (CWE-22 reference) (NVD). We auto-prioritize assets matching “Multiple Zyxel Firewalls” fingerprints and escalate to active isolation policies when crafted-URL indicators appear, without waiting for human triage (product scope and crafted URL indicators) (MITRE). This is the exact class of bug where autonomous, pre-credential HTTP analytics outpace spray-and-pray exploitation.