CVE: CVE-2022-30525
Summary
Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.
What is vulnerability?
A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
What versions are vulnerable-and what should you do?
After a thorough investigation, we’ve identified the vulnerable products within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.
Affected model | Affected firmware version | Patch availability |
---|---|---|
USG FLEX 100(W), 200, 500, 700 | ZLD V5.00 through ZLD V5.21 Patch 1 | ZLD V5.30 - ONLINE |
USG FLEX 50(W)/USG20(W)-VPN | ZLD V5.10 through ZLD V5.21 Patch 1 | ZLD V5.30 - ONLINE |
ATP series | ZLD V5.10 through ZLD V5.21 Patch 1 | ZLD V5.30 - ONLINE |
VPN series | ZLD V4.60 through ZLD V5.21 Patch 1 | ZLD V5.30 - ONLINE |
Firmware Download:
How to upgrade USG devices via cloud-service
Download Firmware from MyZyxel for your Security device (FLEX, ATP, USG, VPN, ZYWALL)
Got a question?
Don't hesitate to get in touch with our Support Team.
Acknowledgement and commentary
Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters. However, there was a miscommunication during the disclosure coordination process with Rapid7.
Revision history
2022-05-12: Initial release