A new ransomware threat, Helldown, is exploiting CVE-2024-11667, a directory traversal flaw in Zyxel ZLD firewall firmware (versions 5.00–5.38), to target corporate networks. This vulnerability allows attackers to upload or download files via crafted URLs, enabling system compromise. Helldown employs advanced tactics, including credential dumping with Mimikatz, lateral movement using RDP, and a double extortion strategy where sensitive data is exfiltrated and threatened with exposure on the dark web. The ransomware targets both Windows and Linux systems, affecting VMware ESXi servers and small to medium-sized businesses in the U.S. and Europe. Despite Zyxel releasing a patch (firmware version 5.39), some organizations remain vulnerable due to weak password practices and unmonitored malicious account creation. Organizations are advised to update firmware, change passwords, disable remote management, and implement network segmentation to mitigate the risk.

‍