Zyxel released a patch for a vulnerability, tracked as CVE-2022-30525, found in the CGI program of some firewall versions. The vulnerability has a severity score of 9.8 and allows attackers to modify specific files and then execute some OS commands on a vulnerable device. The flaw is currently under attack, thus the company urged users to apply the patch as soon as possible.
OS command injection vulnerability
The vulnerability that affects the Zyxel firewall and VPN devices was discovered by Jacob Baines from Rapid7. Jacob Baines said,
« Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py »
Rapid7 stated that they have scanned the internet and found more than 16,000 vulnerable Zyxel products by using the Shodan search platform. Shadowserver stated that it is currently more than 20,8000 Zyxel firewall models that are potentially affected by the vulnerability. Zyxel stated that vulnerable products are:
| Affected model | Affected firmware version | Patch availability |
|---|---|---|
| USG FLEX 100(W), 200, 500, 700 | ZLD V5.00 through ZLD V5.21 Patch 1 | ZLD V5.30 |
| USG FLEX 50(W) / USG20(W)-VPN | ZLD V5.10 through ZLD V5.21 Patch 1 | ZLD V5.30 |
| ATP series | ZLD V5.10 through ZLD V5.21 Patch 1 | ZLD V5.30 |
| VPN series | ZLD V4.60 through ZLD V5.21 Patch 1 | ZLD V5.30 |