Zyxel has released a security update for a critical vulnerability, tracked as CVE-2022-30525, discovered by Rapid7 in April 2022. The vulnerability could allow a command injection in the CGI program in a number of firewall products. This could allow a remote unauthenticated attacker to modify specific files and then execute operating system (OS) commands on a vulnerable device.

A Metasploit exploit module has been developed for this vulnerability. An attacker could use the module to exploit CVE-2022-30525 and establish a remote shell.

Exploitation of CVE-2022-30525

There are reports that Zyxel products vulnerable to CVE-2022-30525 are being exploited in the wild.

Remediation advice

Affected organisation are encourage to review Zyxel's security advisory and apply relevant updates and mitigations.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-30525

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Last edited: 16 May 2022 10:30 am