Vulnerability Details : CVE-2022-30525

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Published 2022-05-12 14:15:07

Updated 2022-10-19 18:32:19

Source Zyxel Corporation

View at NVD, CVE.org

At least one public exploit which can be used to exploit this vulnerability exists!

CVE-2022-30525 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Zyxel Multiple Firewalls OS Command Injection Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Added on 2022-05-16 Action due date 2022-06-06

Exploit prediction scoring system (EPSS) score for CVE-2022-30525

Probability of exploitation activity in the next 30 days: 97.52%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2022-30525

Zyxel Firewall ZTP Unauthenticated Command Injection

Disclosure Date : 2022-04-28

exploit/linux/http/zyxel_ztp_rce

This module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are: * USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below * USG20-VPN and USG20W-VPN using firmware 5.21 and below * ATP 100, 200, 500, 700, 800 using firmware 5.21 and below Authors: - jbaines-r7

More information

CVSS scores for CVE-2022-30525

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-30525

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- [email protected] (Primary)
- [email protected] (Secondary)

References for CVE-2022-30525

https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml

Vendor Advisory
http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html

Exploit;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html

Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html

Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html

Exploit;Third Party Advisory;VDB Entry

Products affected by CVE-2022-30525

Zyxel » Atp200 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp200 » Version: N/A
Zyxel » Atp500 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp500 » Version: N/A
Zyxel » Atp800 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp800 » Version: N/A
Zyxel » Usg20w-vpn Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg20w-vpn » Version: N/A
Zyxel » Vpn50 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn50 » Version: N/A
Zyxel » Vpn100 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn100 » Version: N/A
Zyxel » Vpn300 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn300 » Version: N/A
Zyxel » Atp100 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp100 » Version: N/A
Zyxel » Vpn1000 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn1000 » Version: N/A
Zyxel » Usg Flex 200 Firmware
Versions from including (>=) 5.00 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 200 » Version: N/A
Zyxel » Usg Flex 500 Firmware
Versions from including (>=) 5.00 and up to, including, (<=) 5.30
cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 500 » Version: N/A
Zyxel » Usg Flex 100w Firmware
Versions from including (>=) 5.00 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 100w » Version: N/A
Zyxel » Usg Flex 700 Firmware
Versions from including (>=) 5.00 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 700 » Version: N/A
Zyxel » Atp100w Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp100w » Version: N/A
Zyxel » Atp700 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp700 » Version: N/A
Zyxel » Usg Flex 50w Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 50w » Version: N/A