Zyxel patched CVE-2024-11667 in September. They named it in November

Zyxel shipped the fix for CVE-2024-11667 on September 3, 2024. They named the CVE on November 27, 2024. In between, Helldown ransomware operators were pulling /etc/passwd off ATP and USG FLEX firewalls, minting backdoor admin accounts, and pivoting into domain controllers. Customers running ZLD 5.38 in October had no public signal that their firewall carried an actively exploited bug, because the vendor that fixed it in September decided not to mention it until late November.

What the bug is, briefly

CVE-2024-11667 is a CWE-22 path traversal in the HTTPS management interface of Zyxel’s ZLD-based firewalls: ATP, USG FLEX, USG FLEX 50/W, and USG20/W-VPN, versions V5.00 through V5.38 (V5.10 onward for the smaller models). NVD scores it 7.5 with the vector AV:N/AC:L/PR:N/UI:N. No login required, network reachability to the management port is the only precondition. The flaw yields both a read primitive and a write primitive: an attacker can download arbitrary files (including the local credential database and running config) and upload arbitrary files (including the kind of payload that survives a firmware refresh).

Some incident writeups describe CVE-2024-11667 as a post-auth step in the live Helldown chain, used after CVE-2024-42057 establishes the initial foothold via IPSec. NVD’s PR:N is the authoritative pre-auth designation, and that’s the one to use for exposure assessment. The friction between the two readings is worth knowing about, but it doesn’t change the action item.

The three-month gap

ZLD 5.39 dropped on September 3, 2024. The release fixed seven firewall CVEs that day: CVE-2024-6343, CVE-2024-7203, and CVE-2024-42057 through -42061. CVE-2024-11667 was patched in the same release. It was not in the September advisory. It was not assigned a CVE identifier. It was not named.

The first time Zyxel mentioned it publicly was November 21, 2024, in an advisory titled “protecting against recent firewall threats” that initially framed the activity as exploitation of “previously disclosed vulnerabilities.” The November 27 update finally named CVE-2024-11667 and acknowledged active in-the-wild exploitation. CISA added it to KEV on December 3, 2024, with a federal remediation deadline of December 24.

The public record does not say whether Zyxel sat on the CVE assignment deliberately or whether MITRE simply lagged. For the customer running 5.38, those two stories produce the same outcome: a vulnerability the vendor knew enough to fix, with no signal anywhere in the ecosystem that it was worth prioritizing the upgrade. By the time Sekoia, Bleeping Computer, and Germany’s CERT-Bund were publishing on Helldown’s Zyxel campaign, the patch had been available for nearly three months and most operators had no reason to think 5.39 was urgent.

This is the second time Zyxel has done a version of this. Rapid7’s writeup of CVE-2023-28771 noted that the IKEv2 bug went from theoretical to widely exploited within days of a public PoC, after months of quiet on the vendor side. Different bug, different protocol, same shape of disclosure.

5.39 wasn’t a clean state

Censys counted roughly 1,500 affected devices on the public internet with the management interface exposed during the unnamed-CVE window. Sekoia tied at least 8 of Helldown’s 31-32 leak-site victims to Zyxel firewalls at the time of breach — small businesses, mostly in the US and Germany, with a handful in France and Switzerland. That’s the population the September silence was running against.

Germany’s CERT-Bund put out an addendum on November 22, 2024 noting that organizations which applied ZLD 5.39 without rotating administrative credentials and auditing VPN user accounts were still being successfully compromised. Helldown had used the pre-patch window to create backdoor admin accounts (the recurring names are SUPPORT87, SUPPOR817, and OKSDW82A, along with generic vpn accounts) and those accounts persisted through the firmware upgrade. Sekoia further documented a malicious VPN configuration file, zzz1.conf, containing a MIPS ELF binary, meaning the firewall itself was being used as a staging host. Whether that binary survives a firmware-only upgrade is not formally documented by Zyxel.

A “patch available” headline that doesn’t reflect operational reality is a small lie that adds up. The Zyxel advisory does eventually get to credential rotation, but the framing across the September and November advisories reads as “apply the firmware and you’re clean,” and that framing was wrong for any device that had been reachable from the WAN during the pre-patch window. Two of the victims Sekoia documented replaced their Zyxel units with competing products in the weeks after compromise. That is a small sample, but it’s the kind of signal vendors usually claim to listen for.

The CISA KEV link goes to the wrong product

CISA’s KEV entry for CVE-2024-11667 includes an “Additional CISA Mitigation Instructions” pointer to advisory AA25-163A. AA25-163A is about SimpleHelp RMM and CVE-2024-57727. Helldown targets both, which is presumably how the wires got crossed, but the operator who clicks through from the KEV entry hoping for Zyxel-specific federal guidance will not find any. The Zyxel-specific guidance from the federal side is the KEV listing itself, and that’s it.

This is a small thing. It’s also exactly the kind of small thing that erodes trust in the institutions an operator is supposed to be able to rely on at 11pm on a Tuesday.

Why this keeps happening

The pattern isn’t unique to Zyxel, but Zyxel keeps providing tidy examples of it. A vendor ships a fix in a routine release. The fix gets a CVE eventually, sometimes weeks later, sometimes after exploitation is already public. The advisory framing emphasizes the firmware upgrade and underplays the post-compromise hygiene. The federal listing arrives once the attack is in the news, sometimes with the wrong pointer attached. The customer is left to reconstruct the operational reality from third-party incident reports.

The structural problem is that the incentives reward silent fixes. Naming a CVE on day one of a release creates support-call pressure, regulatory questions, and possible insurance complications. Not naming it costs nothing in the short term, because most customers won’t notice. The cost is borne by the operators whose firewalls get turned during the unnamed-CVE window, and those operators don’t have a feedback channel that reaches the disclosure team.

Zyxel’s posture on EOL hardware is a related tell. Earlier in 2025 the company explicitly refused to patch end-of-life routers under active zero-day attack via CVE-2024-40891, with VulnCheck publicly criticizing the decision to keep selling devices known to be unpatched. CVE-2024-11667 itself is a clean fix on supported hardware. The surrounding posture is not clean.

What you should actually expect

If your ZLD firewall had WAN-side management exposed between September and early December 2024, the firmware upgrade was the easy part. The CERT-Bund addendum and the Sekoia writeups make clear that “applied 5.39” was not a clean state for affected devices: the SUPPORT87 / SUPPOR817 / OKSDW82A accounts persisted through upgrade, zzz1.conf parked a MIPS binary on the appliance itself, and LDAP sync credentials stored on the firewall handed Helldown the domain in multiple documented cases. None of that is operator failure. All of it is the consequence of a vendor advisory that told customers to patch and stopped talking.

A “patch released” headline is a starting point, not an ending point, and the vendors who tell you otherwise are the ones whose customers end up on the leak sites.