Skip to main content
close search
site logo
Dive Brief

CISA, German cyber authorities warn Zyxel firewalls facing active exploitation

Attackers have targeted dozens of companies with Helldown ransomware, researchers found.

Published Dec. 4, 2024
David Jones's headshot
Reporter
Cyber security firewall interface protection concept. Businesswoman protecting herself from cyber attacks. Personal data security and banking
Getty Images via Getty Images

Dive Brief:

  • Multiple government authorities and security researchers are warning about a directory traversal vulnerability in Zyxel Networks firewalls that threat actors are actively exploiting to deploy Helldown ransomware.
  • The vulnerability, listed as CVE-2024-11667, with a CVSS score of 7.5, is located in the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38, and could allow an attacker to download or upload files through a crafted URL. The Cybersecurity and Infrastructure Security Agency on Tuesday added the CVE to its known exploited vulnerabilities catalog.
  • Zyxel, in a blog post, confirmed it is aware of recent attempts to exploit the vulnerability, following disclosures from security researchers at Sekoia. The company is urging users to immediately update their firmware and change their admin passwords.

Dive Insight:

Authorities in Germany alongside Zyxel officials warned in late November about the vulnerability in Zyxel firewalls being exploited to deploy Helldown ransomware. 

German officials on Wednesday told Cybersecurity Dive that Helldown is based on the publicly available builder of LockBit ransomware, which has been used as a basis to build various ransomware versions. 

Helldown was first observed in August and named about 32 victims on its leak site, before the site became inaccessible on Nov. 21, according to a spokesman for the German CERT.

Most of the targeted companies were small to medium-sized, however a few were larger organizations, according to Sekoia. Most of the victims were located in the United States. 

Researchers from Sekoia told Cybersecurity Dive that some victims had been using end-of-life versions of the firewalls, which were no longer supported, but others were still using more recent versions with supported firmware. 

Researchers from Truesec said the attackers were observed establishing local accounts on Zyxel firewalls and downloading Mimikatz to dump credentials into the active directory of targeted companies. The attackers also downloaded advanced port scanners from GitHub. 

Researchers saw the attackers disable antivirus software and also deploy Teamviewer or use default Windows Remote Desktop Protocol tools to move around targeted networks.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.