Zyxel security advisory for OS command injection vulnerability of firewalls

CVE: CVE-2022-30525

 

Summary

Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.

 

What is vulnerability?

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

 

What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified the vulnerable products within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Affected model Affected firmware version Patch availability
USG FLEX 100(W), 200, 500, 700 ZLD V5.00 through ZLD V5.21 Patch 1 ZLD V5.30 - ONLINE
USG FLEX 50(W)/USG20(W)-VPN ZLD V5.10 through ZLD V5.21 Patch 1 ZLD V5.30 - ONLINE
ATP series ZLD V5.10 through ZLD V5.21 Patch 1 ZLD V5.30 - ONLINE
VPN series ZLD V4.60 through ZLD V5.21 Patch 1 ZLD V5.30 - ONLINE


Firmware Download:

How to upgrade USG devices via cloud-service
Download Firmware from MyZyxel for your Security device (FLEX, ATP, USG, VPN, ZYWALL)

 

Got a question?

Don't hesitate to get in touch with our Support Team.

 

Acknowledgement and commentary

Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters. However, there was a miscommunication during the disclosure coordination process with Rapid7.

 

Revision history

2022-05-12: Initial release

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share