Zyxel silently fixes critical RCE vulnerability in firewall products

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,520
Threat analysts who discovered a vulnerability affecting multiple Zyxel products report that the network equipment company fixed it via a silent update pushed out two weeks ago.
More specifically, security researchers at Rapid7 found the flaw, which is now tracked as CVE-2022-30525 (CVSS v3 score: 9.8 – critical), and disclosed it to Zyxel on April 13, 2022.

The flaw is an unauthenticated remote command injection via the HTTP interface, affecting Zyxel firewalls supporting Zero Touch Provisioning (ZTP). The impacted firmware
versions are ZLD5.00 to ZLD5.21 Patch 1.

CVE-2022-30525 impacts the following models:

  • USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
  • USG20-VPN and USG20W-VPN using firmware 5.21 and below
  • ATP 100, 200, 500, 700, 800 using firmware 5.21 and below
These products are typically used in small branches and corporate headquarters for VPN, SSL inspection, intrusion protection, email security, and web filtering.

“Commands are executed as the “nobody” user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py,” explains the Rapid 7 report.

“The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.”