Get in Touch
Please get in touch using the form below.
Zyxel firewalls under active exploitation
Update: 12th September 2022 4pm (GMT)
Threat researchers have reported an increase in scanning for vulnerable Zyxel firewalls. The critical vulnerability (CVE-2022-30525), an OS command injection vulnerability in the CGI programme, was first reported in May
Exploited devices have Mirai installed on them and are then used to brute-force telnet servers around the world.
Updated Indicators of Compromise
- 171.22.30.213
- 205.185.113.157
- salanes.com
Updated Mitre Methodologies
T1423 - Network Service Scanning
T1016 - System Network Configuration Discovery
Further Information
Malicious Mirai 5b6ffa2b728b5c0a2d2b5a1b690882c3 – Intezer
19th May 2022
Overview
Network administrators are being urged to patch Zyxel firewalls to address a critical vulnerability (CVE-2022-30525). The vulnerability has been seen under active exploitation and allows remote code execution (RCE) via an HTTP request of the devices.
Impact
An unauthenticated remote attacker can run commands on a firewall exposed to the internet.
Vulnerability Detection
A researcher, BlueNinja, has published detection logic for exploitation attempts on GitHub. This will produce a lot of noise if enabled for external-facing devices.
Affected Products
Firmware ZLD5.00 up to ZLD5.21 Patch 1 in the following devices:
- USG FLEX 100, 100W, 200, 500, 700
- USG20-VPN, USG20W-VPN
- ATP 100, 200, 500, 700, 800
The VPN series is not affected.
Containment, Mitigations & Remediations
Administrators are being urged to patch the critical flaw immediately.
Indicators of Compromise
None listed.
Threat Landscape
This is under active exploitation and a Metasploit module has been released, making exploitation trivial. Zyxel firewalls are used mostly amongst small- to medium-sized enterprises primarily because of the features and price-point. More than 15,000 devices are potentially vulnerable.
Mitre Methodologies
T1190 – Exploit Public-Facing Application