External risk intelligence

Zyxel Firewall Command Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-30525

A vulnerability in certain Zyxel firewall devices allows attackers to modify files and execute OS commands. This can lead to unauthorized system control and compromise, posing a significant business risk. Organizations should identify and update affected devices promptly.

5Halo Surface Signal

OS Command Injection

Zyxel Usg Flex 100w Firmware

5.00 to before 5.305.00 to 5.304.60 to before 5.305.10 to before 5.30

External exposure likelihood

Halo Surface Signal score for CVE-2022-30525

The affected devices are network firewalls and VPN appliances. These products are designed to serve as internet-facing gateways and edge services to manage network traffic and remote access, making them inherently public-facing components of an organization's network perimeter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the CGI program of specific Zyxel firewall devices. This flaw could enable an attacker to alter files on the device and subsequently execute operating system commands. The potential impact includes unauthorized modification of device configurations and execution of arbitrary commands, which can compromise the integrity and control of the affected systems.

  • Vulnerable Zyxel firewall devices.
  • Flaw allows file modification and command execution.
  • Risk of system compromise and unauthorized control.

Attack Path

How an attacker could exploit the issue

An OS command injection vulnerability exists in the CGI program of certain Zyxel firewall and VPN devices. This vulnerability allows an unauthenticated attacker to modify files and execute commands on the device. The affected devices are network-facing, increasing the potential for external access.

  • Network exposure
  • Unauthenticated attacker
  • Trigger commands, gain control

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker to execute operating system commands on a vulnerable device, potentially modifying files and gaining control. The critical severity indicates a significant potential for damage. Organizations should consider this a high-priority issue due to the ease of exploitation and the potential for widespread impact.

  • Likely attacker skill level: Low
  • Required access or conditions: Network access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An OS command injection vulnerability has been identified in specific Zyxel firewall models. This vulnerability could allow an unauthenticated attacker to modify files and execute commands on a vulnerable device, posing a significant risk to organizational data and systems. The attacker can exploit this by sending specially crafted requests to the affected CGI program.

  • Find affected Zyxel firewall assets.
  • Restrict network access to exposed devices.
  • Apply vendor updates, verify remediation, and monitor systems.

Frequently asked questions

What Zyxel firewall firmware versions are affected by the OS command injection vulnerability CVE-2022-30525?

The OS command injection vulnerability CVE-2022-30525 affects Zyxel USG FLEX 100(W), USG FLEX 200, USG FLEX 500, USG FLEX 700, USG FLEX 50(W), USG20(W)-VPN, ATP series, and VPN series devices. Specific firmware versions range from 5.00 to 5.21 Patch 1 for most, and 4.60 to 5.21 Patch 1 for the VPN series. Affected configurations vary by product line, with some versions extending up to 5.30.

What is the weakness class for CVE-2022-30525 and how does it enable exploitation?

The weakness class for CVE-2022-30525 is CWE-78, which signifies OS command injection. This vulnerability allows an attacker to inject and execute arbitrary operating system commands on the vulnerable device by manipulating the CGI program. Successful exploitation can lead to unauthorized file modifications and complete system compromise.

How can an attacker exploit the OS command injection vulnerability in Zyxel firewalls?

An attacker can exploit this vulnerability by sending specially crafted requests to the affected CGI program on the Zyxel firewall. This can allow them to modify specific files on the device and then execute OS commands, potentially leading to unauthorized access and control over the network infrastructure.

Why is CVE-2022-30525 considered a high-priority threat on Halo Surface?

CVE-2022-30525 is rated as 'Very likely' to be exploited due to the nature of the affected devices. Zyxel firewalls and VPN appliances are typically internet-facing gateways, making them prime targets for external attackers. This external exposure significantly increases the risk and urgency for remediation.

What steps should be taken to remediate the Zyxel firewall command injection vulnerability?

To address this vulnerability, organizations should first identify all affected Zyxel firewall assets. It is crucial to apply the latest firmware updates provided by Zyxel. After applying updates, verify that the remediation has been successful and implement continuous monitoring of the systems to detect any suspicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified