Zyxel security advisory for OS command injection vulnerability of firewalls
Zyxel Employee
CVE: CVE-2022-30525
Summary
Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.
What is the vulnerability?
A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Acknowledgment and commentary
Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination process with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters.
Revision history
2022-05-12: Initial release
Comments
-
2
-
Are older Boxes like the USG 310 or the USG 40/60 also affected by this?1
-
This vulnerability mainly affects only systems where WAN access to the administrative web interface is enabled, right?
If WAN access is disabled, there is not much risk to my firewall for now, right?
I'm just asking to make sure how fast I have to apply the firmware patch.1 -
This is the main questions, why was it not mentioned?Mario said:
https://arstechnica.com/information-technology/2022/05/zyxel-silently-patches-command-injection-vulnerability-with-9-8-severity-rating/
0 -
Been a long time since Zyxel has had a stable release from a security perspective. It would be good to have that for situations like this. Had to rush testing of 5.30 today because of this. Not appreciated.I like that Zyxel has historically been honest in its release notes, but this seems to be slipping.0
-
Hi @Mario @MikeForshock @dkyeager
We're sorry for the confusion
This vulnerability has been fixed aggressively into regular release but we did not disclose it since the official disclosure time has not been aligned with the researcher at that moment. In the meantime, we have updated device what's new with CVE info on the same day, expected users getting real time notice from device directly.
@ESupport
USG310, USG40/60 are immune to this vulnerability
@e_mano_e
Yes you're right. However, since the hacker may also come from the LAN side, it's strongly recommended to upgrade to 5.30 as soon as possible0 -
Is the ZyWall 110 affected by this vulnerability? The latest firmware for that is 4.71 so bit confused.
0 -
My system Zyxel USG20W-VPN had been in 5.20 and then there was trial-usres admin account added and it updated my firewall to v.5.30.
Are you sure that this 5.30 is secure?0 -
AnonymousBusiness,
You should assume the configuration and username/password already leak for a long time.
Recommend to change all passwords of all user accounts and don't change to any previous used password.
1
Ally Member
Freshman Member
Guru Member
Master MemberCategories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
