CVE-2022-30525 : A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W)

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Published 2022-05-12 14:15:07

Updated 2022-10-19 18:32:19

Source Zyxel Corporation

View at NVD, CVE.org

Products affected by CVE-2022-30525

Zyxel » Atp200 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp200 » Version: N/A
Zyxel » Atp500 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp500 » Version: N/A
Zyxel » Atp800 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp800 » Version: N/A
Zyxel » Usg20w-vpn Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg20w-vpn » Version: N/A
Zyxel » Vpn50 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn50 » Version: N/A
Zyxel » Vpn100 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn100 » Version: N/A
Zyxel » Vpn300 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn300 » Version: N/A
Zyxel » Atp100 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp100 » Version: N/A
Zyxel » Vpn1000 Firmware
Versions from including (>=) 4.60 and before (<) 5.30
cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Vpn1000 » Version: N/A
Zyxel » Usg Flex 200 Firmware
Versions from including (>=) 5.00 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 200 » Version: N/A
Zyxel » Usg Flex 500 Firmware
Versions from including (>=) 5.00 and up to, including, (<=) 5.30
cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 500 » Version: N/A
Zyxel » Usg Flex 100w Firmware
Versions from including (>=) 5.00 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 100w » Version: N/A
Zyxel » Usg Flex 700 Firmware
Versions from including (>=) 5.00 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 700 » Version: N/A
Zyxel » Atp100w Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp100w » Version: N/A
Zyxel » Atp700 Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Atp700 » Version: N/A
Zyxel » Usg Flex 50w Firmware
Versions from including (>=) 5.10 and before (<) 5.30
cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Usg Flex 50w » Version: N/A

CVE-2022-30525 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Zyxel Multiple Firewalls OS Command Injection Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2022-30525

Added on 2022-05-16 Action due date 2022-06-06

Exploit prediction scoring system (EPSS) score for CVE-2022-30525

EPSS FAQ

97.37%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-30525

Zyxel Firewall ZTP Unauthenticated Command Injection

Disclosure Date: 2022-04-28

First seen: 2022-12-23

exploit/linux/http/zyxel_ztp_rce

This module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command

More information

CVSS scores for CVE-2022-30525

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	Zyxel Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-30525

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- security@zyxel.com.tw (Secondary)

References for CVE-2022-30525

https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml

Zyxel security advisory for OS command injection vulnerability of firewalls | Zyxel
Vendor Advisory
http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html

Zyxel Firewall SUID Binary Privilege Escalation ≈ Packet Storm
Exploit;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html

Zyxel Firewall ZTP Unauthenticated Command Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html

Zyxel Remote Command Execution ≈ Packet Storm
Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html

Zyxel USG FLEX 5.21 Command Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2022-30525