Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability – CVE-2022-30525

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.

“A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device,” the company said in an advisory published Thursday.

Cybersecurity firm Rapid7, which discovered and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the “nobody” user on impacted appliances.

Tracked as CVE-2022-30525 (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 –

  • USG FLEX 100(W), 200, 500, 700
  • USG FLEX 50(W) / USG20(W)-VPN
  • ATP series, and
  • VPN series

Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a lucrative attack vector for threat actors to stage potential exploitation attempts.

The cybersecurity firm also pointed out that Zyxel silently issued fixes to address the issue on April 28, 2022 without publishing an associated Common Vulnerabilities and Exposures (CVE) identifier or a security advisory. Zyxel, in its alert, blamed this on a “miscommunication during the disclosure coordination process.”

“Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues,” Rapid7 researcher Jake Baines said.

The advisory comes as Zyxel addressed three different issues, including a command injection (CVE-2022-26413), a buffer overflow (CVE-2022-26414), and a local privilege escalation (CVE-2022-0556) flaw, in its VMG3312-T20A wireless router and AP Configurator that could lead to arbitrary code execution.

Recommended:  Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827)


Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Latest posts by RiSec.n0tst3 (see all)
Recommended:  WordPress Core 5.8.2 - 'WP_Query' SQL Injection [PoC]
Share the word, let's increase Cybersecurity Awareness as we know it

1 thought on “Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability – CVE-2022-30525”

  1. Pingback: CISA adds CVE-2022-30525 flaw in Zyxel Firewalls to its Known Exploited Vulnerabilities Catalog

Leave a Comment

Your email address will not be published. Required fields are marked *

RiSec Captcha 98 − 94 =