Contents:
Zyxel is a trademark name that is used by both Zyxel Communications Corp. and Zyxel Networks, two companies that are involved in the production of networking equipment as well as the provision of services to communications service providers. Zyxel firms have their headquarters in Hsinchu, Taiwan, with branch offices all around the world, including in North America, Europe, and Asia.
What Happened?
Hackers have begun to take advantage of a new severe vulnerability that affects the Zyxel firewall and VPN equipment for commercial use.
CVE-2022-30525 is a command injection vulnerability in the CGI program of some firewall versions that could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
As explained by BleepingComputer, if the exploit is successful, a remote attacker is granted the ability to inject arbitrary commands without requiring authentication from a remote location. This may make it possible to set up a reverse shell.
On April 28, Zyxel released firmware that fixed an unauthenticated and remote command injection I’d found in their firewalls: USG FLEX series, ATP series, and USG20-VPN/USG20w-VPN. This was assigned CVE-2022-30525. We published our advisory this morning: https://t.co/lJF3kXoCok
— Jacob Baines (@Junior_Baines) May 12, 2022
Jacob Baines, the chief security researcher at Rapid7, was the one who discovered the vulnerability. In a short technical paper, he shows how the flaw might be used in attacks. The Metasploit penetration testing framework has been updated with the addition of a module.
The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py. The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter. Below is an example curl that will cause the firewall to execute ping 192.168.1.220.
According to the findings of the study, an attacker may set up a reverse shell by utilizing the regular bash GTFOBin.
Zyxel issued a security advisory on May 12 about CVE-2022-30525, which has a critical severity score of 9.8. The warning said that a remedy had been provided for the affected models, and it urged administrators to apply the most recent updates:
| Affected model | Affected firmware version | Patch availability |
|---|---|---|
| USG FLEX 100(W), 200, 500, 700 | ZLD V5.00 through ZLD V5.21 Patch 1 | ZLD V5.30 |
| USG FLEX 50(W) / USG20(W)-VPN | ZLD V5.10 through ZLD V5.21 Patch 1 | ZLD V5.30 |
| ATP series | ZLD V5.10 through ZLD V5.21 Patch 1 | ZLD V5.30 |
| VPN series | ZLD V4.60 through ZLD V5.21 Patch 1 | ZLD V5.30 |
Rob Joyce, who is the Director of Cybersecurity at the NSA, has issued a warning to users about the possibility of exploitation and encouraged them to update the device firmware version if it is vulnerable. This is because the severity of the security issue and the damage it could cause is serious enough.
Exploitation underway. Check your Zyxel firewall version and patch. CVE-2022-30525 https://t.co/EpVwlb8jeQ
— Rob Joyce (@NSA_CSDirector) May 15, 2022
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.
