A critical vulnerability (CVE-2022-30525) affecting several models of Zyxel firewalls has been publicly disclosed, along with a Metasploit module that exploits it.
Discovered by Rapid 7 researcher Jake Baines and leaked to Zyxel on April 13, it was patched by the company with patches released on April 28, but has not been publicly acknowledged by the company via an associated CVE or notice security so far.
CVE-2022-30525 is a vulnerability that can be exploited by unauthenticated remote attackers to inject commands into the operating system through the vulnerable firewalls’ administrative HTTP interface (if exposed on the Internet), allowing them to modify specific files and execute operating system commands.
Like confirmed by Zyxel, this affects the following firewall models and firmware versions:
- USG FLEX 100(W), 200, 500, 700 – Firmware: ZLD V5.00 to ZLD V5.21 Patch 1
- USG FLEX 50(W) / USG20(W)-VPN – Firmware: ZLD V5.10 to ZLD V5.21 Patch 1
- ATP Series – Firmware: ZLD V5.10 to ZLD V5.21 Patch 1
- VPN Series – Firmware: ZLD V4.60 to ZLD V5.21 Patch 1
Fixes and mitigations
With a patch that can be reverse-engineered and a Metasploit module available, the more than 16,000 vulnerable devices detectable via Shodan could be targeted by attackers in the days and months to come, perhaps especially by initial access brokers.
Administrators of affected devices are advised to upgrade the firmware to V5.30 as soon as possible.
“If possible, enable automatic firmware updates. Disable WAN access to the system administration web interface,” Baines also said. informed.
Baines lamented that Zyxel quietly patched the vulnerability, as it “tends to only help active attackers and leaves defenders in the dark about the true risk of newly discovered issues.”
Zyxel, however, says it wasn’t on purpose, but due to “miscommunication during the disclosure coordination process.”