CVE-2024-11667

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-11667

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

A

directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

References
Link Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667 US Government Resource
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
OR cpe:2.3:h:zyxel:atp:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
OR cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*
History

27 Oct 2025, 17:04

Type Values Removed Values Added
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667 - US Government Resource

21 Oct 2025, 23:16

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667 -

21 Oct 2025, 20:19

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:20

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11667 -

05 Dec 2024, 18:41

Type Values Removed Values Added
CPE cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
First Time Zyxel usg Flex 500
Zyxel zld
Zyxel atp500
Zyxel usg Flex 100w
Zyxel
Zyxel usg 20w-vpn
Zyxel atp200
Zyxel atp100
Zyxel usg Flex 100ax
Zyxel atp100w
Zyxel usg Flex 50w
Zyxel atp800
Zyxel atp700
Zyxel usg Flex 700
Zyxel atp
Zyxel usg Flex 50
Zyxel usg Flex 200
Zyxel usg Flex
Zyxel usg Flex 100
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 - Vendor Advisory

28 Nov 2024, 03:15

Type Values Removed Values Added
References
  • {'url': 'https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-21-2024', 'source': '[email protected]'}
  • () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 -
Summary
  • (es) Una vulnerabilidad de directory traversal en la interfaz de administración web de las versiones de firmware de la serie Zyxel ATP V5.00 a V5.38, las versiones de firmware de la serie USG FLEX V5.00 a V5.38, las versiones de firmware de la serie USG FLEX 50(W) V5.10 a V5.38 y las versiones de firmware de la serie USG20(W)-VPN V5.10 a V5.38 podría permitir que un atacante descargue o cargue archivos a través de una URL manipulada específicamente.

27 Nov 2024, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-27 10:15

Updated : 2025-10-27 17:04

NVD link : CVE-2024-11667

Mitre link : CVE-2024-11667

CVE.ORG link : CVE-2024-11667

JSON object : View

Products Affected

zyxel

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')