Hackers are Exploiting a Patched Critical Vulnerability Affecting VPN Devices for Businesses, Zyxel Firewall

Zyxel firewall, the VPN company that provides multiple security and networking functions to small and medium-sized businesses, has detected a severe vulnerability, CVE-2022-30525.

The CVE-2022-30525 vulnerability was discovered by Jake Baines, lead security researcher at Rapid7, in April 2022. The vulnerability makes it possible for an unauthenticated and remote attacker to execute arbitrary code on an affected device in the context of the nobody user.

Zyxel Firewall's CVE-2022-30525

The CVE-2022-30525 flaw is a vulnerability that can be exploited by unauthorised, remote attackers to inject commands into the OS via the vulnerable firewalls' administrative HTTP interface. This gives the attackers the capacity to alter specific files and execute OS commands.

Zyxel Firewall vulnerability was discovered by Baines of Rapid7, stating that this information is being published in accordance with their company's policy on the disclosure of vulnerabilities.

Sharing a detected exploit in the wild would save tons and tons of devices and users from being vulnerable to breaches. The administrative HTTP interface of the affected models is open to command injection from the outside without authentication. The malicious actors present themselves in the system as nobody user when running commands.

According to Rapid7, this flaw can be exploited through the /ztp/cgi-bin/handler URI. It happens when the os.system method in lib_wan_settings.py is given unfiltered input from an attacker. The vulnerable function is called up when the setWanPortSt command is run. Any command can be put into the mtu or the data parameters by an attacker.

As reported by Help Net Security, Zyxel Firewall has confirmed that the following firewall models and firmware versions are affected by the vulnerability:

  • Firmware versions ZLD V5.00 through ZLD V5.21 Patch 1 are compatible with the USG FLEX 100 (W), 200, 500, and 700.

  • Firmware versions ZLD V5.10 through ZLD V5.21 Patch 1 are compatible with the USG FLEX 50 (W) and USG20 (W)-VPN.

  • Firmware versions ZLD V5.10 through ZLD V5.21 Patch 1 are compatible with devices in the ATP series.

  • Firmware versions for the VPN series range from ZLD V4.60 through ZLD V5.21 Patch 1.

Zyxel Firewall Vulnerability Patch

It has been a month since the discovery of the CVE-2022-30525 vulnerability. However, it is still present in the wild and is affecting a plethora of users.

Zyxel and Rapid7 have already released a patch out there that can be reverse-engineered, and there is also a Metasploit module available.

As a result, the more than 15,000 vulnerable devices that can be discovered through Shodan may be targeted by attackers in the days and months ahead, perhaps most especially by initial access brokers.

As an additional course of action, Baines stated, "If possible, enable automatic firmware updates. Disable WAN access to the administrative web interface of the system."

Rapid7 reported at the time that there were more than 15,000 vulnerable models available on the internet. On the other hand, during the course of the weekend, the Shadowserver Foundation brought that number up to over 20,800.

Following the disclosure of the vulnerability by Rapid7 on April 13, the Taiwanese computer hardware manufacturer released patches silently on April 28. Rapid7 did not become aware that the release had occurred until May 9, and eventually published its blog and the Metasploit module along with the Zyxel notice.

The Zyxel firewall company later clarified that there was a miscommunication during the coordinated disclosure process, and it always continues to follow the disclosure principles.


Related Article: Conti Ransomware Strikes Again - Costa Rica Declares National Emergency for the Cyberattacks

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost

Real Time Analytics