A critical vulnerability (CVE-2022-30525) affecting several models of Zyxel firewalls has been publicly revealed, along with a Metasploit module that exploits it.
Discovered by Rapid 7 researcher Jake Baines and disclosed to Zyxel on April 13, it was fixed by the company with patches released on April 28, but not publicly acknowledged by the company via an associated CVE or security advisory until now.
CVE-2022-30525 is a vulnerability that may be exploited by unauthenticated, remote attackers to inject commands into the OS via the vulnerable firewalls’ administrative HTTP interface (if exposed on the internet), allowing them to modify specific files and execute OS commands.
As confirmed by Zyxel, it affects the following firewall models and firmware versions:
- USG FLEX 100(W), 200, 500, 700 – Firmware: ZLD V5.00 through ZLD V5.21 Patch 1
- USG FLEX 50(W) / USG20(W)-VPN – Firmware: ZLD V5.10 through ZLD V5.21 Patch 1
- ATP series – Firmware: ZLD V5.10 through ZLD V5.21 Patch 1
- VPN series – Firmware: ZLD V4.60 through ZLD V5.21 Patch 1
Fixes and mitigations
With a patch out there that can be reverse-engineered and a Metasploit module available, the 16,000+ vulnerable devices discoverable via Shodan may be targeted by attackers in the coming days and months, perhaps especially by initial access brokers.
Administrators of affected devices are advised to upgrade the firmware to V5.30 as soon as possible.
“If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system,” Baines also advised.
Baines has lamented that Zyxel has patched this vulnerability silently, because this “tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.”
Zyxel, though, says it wasn’t on purpose, but due to “miscommunication during the disclosure coordination process.”
UPDATE (May 16, 2022, 06:05 a.m. ET):
Exploitation attempts for CVE-2022-30525 have been detected.