Security News > 2022 > May > Zyxel fixes firewall flaws that could lead to hacked networks
Zyxel has fixed critical firewall vulnerabilities that could have allowed threat actors to gain full access to devices and the internal corporate networks they are designed to protect.
Security researchers at Rapid7 found the flaw, which is now tracked as CVE-2022-30525, and disclosed it to Zyxel on April 13, 2022.
The flaw is an unauthenticated remote command injection via the HTTP interface, affecting Zyxel firewalls supporting Zero Touch Provisioning.
Zyxel confirmed the report and the validity of the flaw and promised to release the fixing security updates in June 2022, yet they released a patch on April 28, 2022, without supplying a security advisory, technical details, or mitigation guidance to its customers.
The typical consequences of such an attack would be file modification and OS command execution, allowing threat actors to gain initial access to a network and spread laterally through a network.
Bleeping Computer noticed that Zyxel published a security advisory for CVE-2022-30525 during the preparation of this story, attributing the lack of coordination with Rapid7 to miscommunication.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-12 | CVE-2022-30525 | OS Command Injection vulnerability in Zyxel products A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | 9.8 |