Zyxel security advisory for OS command injection vulnerability of firewalls

Zyxel_Jason
Zyxel_Jason Posts: 374
25 Answers First Comment Friend Collector Fourth Anniversary
 Master Member

CVE: CVE-2022-30525

Summary

Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.

What is the vulnerability?

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Affected model

Affected firmware version

Patch availability

USG FLEX 100(W), 200, 500, 700

ZLD V5.00 through ZLD V5.21 Patch 1

ZLD V5.30

USG FLEX 50(W) / USG20(W)-VPN

ZLD V5.10 through ZLD V5.21 Patch 1

ZLD V5.30

ATP series

ZLD V5.10 through ZLD V5.21 Patch 1

ZLD V5.30

VPN series

ZLD V4.60 through ZLD V5.21 Patch 1

ZLD V5.30


Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.

Acknowledgments and commentary

Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination process with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters.

Revision history

2022-05-12: Initial release

Jason