CVE-2022-38547

Name of the Vulnerable Software and Affected Versions Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72 Zyxel VPN series firmware versions 4.30 through 5.32 Zyxel USG FLEX series firmware versions 4.50 through 5.32 Zyxel ATP series firmware versions 4.32 through 5.32

Description The issue is related to a command injection vulnerability in the CLI command of Zyxel's firmware, which could allow an authenticated attacker with administrator privileges to execute OS commands. This is due to the lack of proper sanitization of special elements used in the OS command. The exploitation of this issue may enable a remote attacker to execute arbitrary commands.

Recommendations For Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, update to a version outside of this range to mitigate the risk. For Zyxel VPN series firmware versions 4.30 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series firmware versions 4.50 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel ATP series firmware versions 4.32 through 5.32, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the CLI command to minimize the risk of exploitation.