Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

Zyxel has moved to address a critical security vulnerability
affecting Zyxel firewall devices that enables unauthenticated and
remote attackers to gain arbitrary code execution.

“A command injection vulnerability in the CGI program of some
firewall versions could allow an attacker to modify specific files
and then execute some OS commands on a vulnerable device,” the
company said^[1]
in an advisory published Thursday.

Cybersecurity firm Rapid7, which discovered^[2]
and reported the flaw on April 13, 2022, said that the weakness
could permit a remote unauthenticated adversary to execute code as
the “nobody” user on impacted appliances.

Tracked as CVE-2022-30525^[3]
(CVSS score: 9.8), the flaw impacts the following products, with
patches released in version ZLD V5.30 –

• USG FLEX 100(W), 200, 500, 700
• USG FLEX 50(W) / USG20(W)-VPN
• ATP series, and
• VPN series

Rapid 7 noted that there are at least 16,213 vulnerable Zyxel
devices exposed to the internet, making it a lucrative attack
vector for threat actors to stage potential exploitation
attempts.

The cybersecurity firm also pointed out that Zyxel silently
issued fixes to address the issue on April 28, 2022 without
publishing an associated Common Vulnerabilities and Exposures
(CVE^[4]) identifier or a
security advisory. Zyxel, in its alert, blamed this on a
“miscommunication during the disclosure coordination process.”

“Silent vulnerability patching tends to only help active
attackers, and leaves defenders in the dark about the true risk of
newly discovered issues,” Rapid7 researcher Jake Baines said.

The advisory comes as Zyxel addressed three different issues,
including a command injection (CVE-2022-26413^[5]), a buffer overflow
(CVE-2022-26414^[6]), and a local privilege
escalation (CVE-2022-0556^[7]) flaw, in its
VMG3312-T20A wireless router and AP Configurator that could lead to
arbitrary code execution.