Threat analysts who discovered a vulnerability affecting multiple Zyxel products report that the network equipment company fixed it via a silent update pushed out two weeks ago. More specifically, security researchers at Rapid7 found the flaw, which is now tracked as CVE-2022-30525 (CVSS v3 score: 9.8 – critical) and disclosed it to Zyxel on April 13, 2022. The flaw is an unauthenticated remote command injection via the HTTP interface, affecting Zyxel firewalls supporting Zero Touch Provisioning (ZTP). The impacted firmware versions are ZLD5.00 to ZLD5.21 Patch 1. CVE-2022-30525 impacts the following models:
- USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
- USG20-VPN and USG20W-VPN using firmware 5.21 and below
- ATP 100, 200, 500, 700, 800 using firmware 5.21 and below
These products are typically used in small branches and corporate headquarters for VPN, SSL inspection, intrusion protection, email security, and web filtering.
“Commands are executed as the “nobody” user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py,” explains the Rapid 7 report. “The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.” Zyxel confirmed the report and the validity of the flaw and promised to release security updates in June 2022, yet they released a patch on April 28, 2022, without supplying a security advisory, technical details, or mitigation guidance to its customers. Today, Rapid 7 published its disclosure report, along with the corresponding Metasploit module that exploits the CVE-2022-30525 by injecting commands in the MTU field. The typical consequences of such an attack would be file modification and OS command execution, allowing threat actors to gain initial access to a network and spread laterally through a network. “The Zxyel firewalls affected by CVE-2022-30525 are what we typically refer to as ‘network pivot.’ Exploitation of CVE-2022-30525 will likely allow an attacker to establish a foothold in the victim’s internal network,” Rapid7 told reporters. “From that foothold, the attacker can attack (or pivot to) internal systems that otherwise would not be exposed to the internet.”
As the technical details and an exploit for the vulnerability have been released, all administrators should update their devices immediately before threat actors begin to actively exploit the flaw. Rapid 7 reports that at the time of discovery, there were at least 16,213 vulnerable systems exposed to the internet, making this vulnerability an attractive target for threat actors.