CVE-2024-42059
📋 TL;DR
This is a post-authentication command injection vulnerability in multiple Zyxel firewall series. An authenticated attacker with administrator privileges can execute OS commands by uploading a crafted compressed language file via FTP. Affected devices include Zyxel ATP series, USG FLEX series, USG FLEX 50(W) series, and USG20(W)-VPN series.
💻 Affected Systems
- Zyxel ATP series
- Zyxel USG FLEX series
- Zyxel USG FLEX 50(W) series
- Zyxel USG20(W)-VPN series
📦 What is this software?
Zld by Zyxel
Zld by Zyxel
Zld by Zyxel
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attacker to install persistent backdoors, exfiltrate network data, pivot to internal networks, or disrupt firewall operations.
Likely Case
Attacker gains shell access to execute arbitrary commands, potentially leading to data theft, network reconnaissance, or service disruption.
If Mitigated
Limited impact due to strong access controls, monitoring, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires administrator credentials and FTP access to upload malicious files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V5.39 or later
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024
Restart Required: Yes
Instructions:
1. Download firmware V5.39 or later from Zyxel support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface. 4. Reboot device. 5. Verify firmware version.
🔧 Temporary Workarounds
Restrict FTP access
allDisable FTP access or restrict to trusted IP addresses only.
Limit administrator accounts
allReduce number of administrator accounts and enforce strong authentication.
🧯 If You Can't Patch
- Implement network segmentation to isolate affected firewalls from critical assets.
- Enable detailed logging and monitoring for FTP upload activities and command execution attempts.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Maintenance > Firmware. If version is between V5.00 and V5.38 inclusive, device is vulnerable.Check Version:
No CLI command provided; use web interface as described.Verify Fix Applied:
Verify firmware version is V5.39 or later in System > Maintenance > Firmware.📡 Detection & Monitoring
Log Indicators:
- Unusual FTP uploads of language files
- Suspicious command execution in system logs
- Multiple failed authentication attempts followed by FTP access
Network Indicators:
- Unexpected FTP connections to firewall management interface
- Outbound connections from firewall to suspicious IPs
SIEM Query:
source="firewall_logs" AND (event="ftp_upload" OR event="command_execution") AND file="*.zip" OR file="*.tar"