Zyxel Firewall, the VPN company that provides multiple security and networking features to small and medium businesses, has detected a severe vulnerability, CVE-2022-30525.
The CVE-2022-30525 vulnerability was discovered by Jake Baines, Principal Security Researcher at Rapid7, in April 2022. The vulnerability allows an unauthenticated, remote attacker to execute arbitrary code on an affected device in the context of the person user.
Zyxel Firewall CVE-2022-30525
The CVE-2022-30525 flaw is a vulnerability that can be exploited by unauthorized remote attackers to inject commands into the operating system through the administrative HTTP interface of vulnerable firewalls. This gives attackers the ability to modify specific files and execute operating system commands.
The Zyxel Firewall vulnerability was discovered by Baines of Rapid7, stating that this information is released in accordance with their company’s vulnerability disclosure policy.
Sharing an exploit detected in the wild would save tons and tons of devices and users from being vulnerable to breaches. The HTTP administration interface of the models concerned is open to the injection of commands from the outside without authentication. Malicious actors present themselves in the system as user nobody when executing commands.
According to Rapid7, this flaw can be exploited via the URI /ztp/cgi-bin/handler. This happens when the os.system method in lib_wan_settings.py receives unfiltered input from an attacker. The vulnerable function is called when executing the setWanPortSt command. Any command can be placed in the mtu or data parameters by an attacker.
As reported by Help Net Security, Zyxel Firewall has confirmed that the following firewall models and firmware versions are affected by the vulnerability:
Firmware versions ZLD V5.00 through ZLD V5.21 Patch 1 are compatible with the USG FLEX 100 (W), 200, 500 and 700.
Read also: Activision Blizzard’s New “Diversity Space Tool” Used For CoD And Overwatch 2 Stuns Some Fans
Zyxel firewall vulnerability fix
It has been a month since the discovery of the CVE-2022-30525 vulnerability. However, it is still present in the wild and affects a plethora of users.
Zyxel and Rapid7 have already released a fix that can be reverse engineered, and a Metasploit module is also available.
As a result, the more than 15,000 vulnerable devices that can be discovered through Shodan may be targeted by attackers in the days and months to come, perhaps especially by initial access brokers.
As an additional guideline, Baines said, “If possible, enable automatic firmware updates. Disable WAN access to the system administration web interface.”
Rapid7 reported at the time that there were over 15,000 vulnerable models available on the Internet. On the other hand, over the weekend, the Shadowserver Foundation increased that number to over 20,800.
Following Rapid7’s April 13 disclosure of the vulnerability, the Taiwanese hardware maker silently released patches on April 28. Rapid7 only became aware of the post on May 9 and eventually published its blog and the Metasploit module with the Zyxel review.
Firewall company Zyxel later clarified that there was miscommunication during the Coordinated Disclosure process and that it still continues to follow the Disclosure Principles.
Related Article: Conti Ransomware Strikes Again – Costa Rica Declares National Emergency Over Cyberattacks