Zyxel security advisory for OS command injection vulnerability of firewalls

Zyxel_Emily Posts: 929
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
 Guru Member
edited May 13 in Security

CVE: CVE-2022-30525


Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.

What is the vulnerability?

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgment and commentary

Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination process with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters. 

Revision history

2022-05-12: Initial release



  • Mario
    Mario Posts: 92
    First Comment Friend Collector Third Anniversary
     Ally Member
    why is the CVE-2022-30525 not listet in the release notes?

  • ESupport
    ESupport Posts: 6
    First Comment First Anniversary
    Are older Boxes like the USG 310 or the USG 40/60 also affected by this?
  • e_mano_e
    e_mano_e Posts: 24
    First Comment Friend Collector Second Anniversary
     Freshman Member
    This vulnerability mainly affects only systems where WAN access to the administrative web interface is enabled, right?
    If WAN access is disabled, there is not much risk to my firewall for now, right?

    I'm just asking to make sure how fast I have to apply the firmware patch.
  • MikeForshock
    MikeForshock Posts: 31
    First Comment Friend Collector First Anniversary
     Freshman Member
    Mario said:
    why is the CVE-2022-30525 not listet in the release notes?

    This is the main questions, why was it not mentioned?
  • dkyeager
    dkyeager Posts: 61
    First Comment Friend Collector Fourth Anniversary
     Ally Member
    Been a long time since Zyxel has had a stable release from a security perspective.  It would be good to have that for situations like this.  Had to rush testing of 5.30 today because of this.  Not appreciated.

    I like that Zyxel has historically been honest in its release notes, but this seems to be slipping.
  • Zyxel_Vic
    Zyxel_Vic Posts: 265
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    Hi @Mario @MikeForshock @dkyeager
    We're sorry for the confusion
    This vulnerability has been fixed aggressively into regular release but we did not disclose it since the official disclosure time has not been aligned with the researcher at that moment. In the meantime, we have updated device what's new with CVE info on the same day, expected users getting real time notice from device directly.

    USG310, USG40/60 are immune to this vulnerability

    Yes you're right. However, since the hacker may also come from the LAN side, it's strongly recommended to upgrade to 5.30 as soon as possible
  • Ckat1212
    Ckat1212 Posts: 1
    Is the ZyWall 110 affected by this vulnerability? The latest firmware for that is 4.71 so bit confused.
  • mMontana
    mMontana Posts: 859
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    @Ckat1212 take your time re-reading the first post. You should easily find an answer.
  • My system Zyxel USG20W-VPN had been in 5.20 and then there was trial-usres admin account added and it updated my firewall to v.5.30. 

    Are you sure that this 5.30 is secure?
  • zyman2008
    zyman2008 Posts: 154
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    You should assume the configuration and username/password already leak for a long time.
    Recommend to change all passwords of all user accounts and don't change to any previous used password.

Security Highlight