CVE-2022-30525

Name of the Vulnerable Software and Affected Versions Zyxel USG FLEX 100(W) versions 5.00 through 5.21 Patch 1 Zyxel USG FLEX 200 versions 5.00 through 5.21 Patch 1 Zyxel USG FLEX 500 versions 5.00 through 5.21 Patch 1 Zyxel USG FLEX 700 versions 5.00 through 5.21 Patch 1 Zyxel USG FLEX 50(W) versions 5.10 through 5.21 Patch 1 Zyxel USG20(W)-VPN versions 5.10 through 5.21 Patch 1 Zyxel ATP series versions 5.10 through 5.21 Patch 1 Zyxel VPN series versions 4.60 through 5.21 Patch 1

Description A OS command injection vulnerability in the CGI program of Zyxel firewalls could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. The vulnerability is related to errors in processing input data in the HTTP administration interface. An attacker can exploit this vulnerability by sending a specially crafted file to the device. According to the Shodan service, there are 16213 potentially vulnerable devices on the global network that accept HTTP/HTTPS requests. The vulnerability has been exploited in real-world incidents, including attempts to spread the Mirai malware. The Chaos malware, a multifunctional malware written in Go, has also been observed exploiting this vulnerability to increase its botnet network.

Recommendations For Zyxel USG FLEX 100(W) versions 5.00 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel USG FLEX 200 versions 5.00 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel USG FLEX 500 versions 5.00 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel USG FLEX 700 versions 5.00 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel USG FLEX 50(W) versions 5.10 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel USG20(W)-VPN versions 5.10 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel ATP series versions 5.10 through 5.21 Patch 1, update to firmware version 5.30 or later. For Zyxel VPN series versions 4.60 through 5.21 Patch 1, update to firmware version 5.30 or later. As a temporary workaround, consider disabling the /ztp/cgi-bin/handler API endpoint until a patch is available. Restrict access to the vulnerable CGI program to minimize the risk of exploitation. Avoid using the handler CGI program in the affected API endpoint until the issue is resolved.