Security News > 2022 > May > Zyxel silently fixes critical RCE vulnerability in firewall products
Threat analysts who discovered a vulnerability affecting multiple Zyxel products report that the network equipment company fixed it via a silent update pushed out two weeks ago.
More specifically, security researchers at Rapid7 found the flaw, which is now tracked as CVE-2022-30525, and disclosed it to Zyxel on April 13, 2022.
The flaw is an unauthenticated remote command injection via the HTTP interface, affecting Zyxel firewalls supporting Zero Touch Provisioning.
"The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter."
Zyxel confirmed the report and the validity of the flaw and promised to release the fixing security updates in June 2022, yet they released a patch on April 28, 2022, without supplying a security advisory, technical details, or mitigation guidance to its customers.
As the technical details of the vulnerability have been released and it is now supported by Metasploit, all admins should update their devices immediately before threat actors begin to actively exploit the flaw.
News URL
Related news
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-12 | CVE-2022-30525 | OS Command Injection vulnerability in Zyxel products A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | 9.8 |