Home / About / Threat Intelligence / Zyxel firewalls under active exploitation


Network administrators are being urged to patch Zyxel firewalls to address a critical vulnerability (CVE-2022-30525). The vulnerability has been seen under active exploitation and allows remote code execution (RCE) via an HTTP request of the devices.


An unauthenticated remote attacker can run commands on a firewall exposed to the internet.

Vulnerability Detection

A researcher, BlueNinja, has published detection logic for exploitation attempts on GitHub. This will produce a lot of noise if enabled for external-facing devices.

Affected Products

Firmware ZLD5.00 up to ZLD5.21 Patch 1 in the following devices:

  • USG FLEX 100, 100W, 200, 500, 700
  • ATP 100, 200, 500, 700, 800

The VPN series is not affected.

Containment, Mitigations & Remediations

Administrators are being urged to patch the critical flaw immediately.

Indicators of Compromise

None listed.

Threat Landscape

This is under active exploitation and a Metasploit module has been released, making exploitation trivial. Zyxel firewalls are used mostly amongst small- to medium-sized enterprises primarily because of the features and price-point. More than 15,000 devices are potentially vulnerable.

Mitre Methodologies

T1190 РExploit Public-Facing Application

Further Information

Zyxel Firewall Unauthenticated Remote Command Injection