Zyxel security advisory for OS command injection vulnerability of firewalls

Zyxel_Jason

CVE: CVE-2022-30525

Summary

Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.

What is the vulnerability?

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Affected model	Affected firmware version	Patch availability
USG FLEX 100(W), 200, 500, 700	ZLD V5.00 through ZLD V5.21 Patch 1	ZLD V5.30
USG FLEX 50(W) / USG20(W)-VPN	ZLD V5.10 through ZLD V5.21 Patch 1	ZLD V5.30
ATP series	ZLD V5.10 through ZLD V5.21 Patch 1	ZLD V5.30
VPN series	ZLD V4.60 through ZLD V5.21 Patch 1	ZLD V5.30

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgments and commentary

Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination process with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters.

Revision history

2022-05-12: Initial release