Get in Touch
Update: 12th September 2022 4pm (GMT)
Threat researchers have reported an increase in scanning for vulnerable Zyxel firewalls. The critical vulnerability (CVE-2022-30525), an OS command injection vulnerability in the CGI programme, was first reported in May
Exploited devices have Mirai installed on them and are then used to brute-force telnet servers around the world.
Updated Indicators of Compromise
Updated Mitre Methodologies
T1423 - Network Service Scanning
T1016 - System Network Configuration Discovery
19th May 2022
Network administrators are being urged to patch Zyxel firewalls to address a critical vulnerability (CVE-2022-30525). The vulnerability has been seen under active exploitation and allows remote code execution (RCE) via an HTTP request of the devices.
An unauthenticated remote attacker can run commands on a firewall exposed to the internet.
A researcher, BlueNinja, has published detection logic for exploitation attempts on GitHub. This will produce a lot of noise if enabled for external-facing devices.
Firmware ZLD5.00 up to ZLD5.21 Patch 1 in the following devices:
- USG FLEX 100, 100W, 200, 500, 700
- USG20-VPN, USG20W-VPN
- ATP 100, 200, 500, 700, 800
The VPN series is not affected.
Containment, Mitigations & Remediations
Administrators are being urged to patch the critical flaw immediately.
Indicators of Compromise
This is under active exploitation and a Metasploit module has been released, making exploitation trivial. Zyxel firewalls are used mostly amongst small- to medium-sized enterprises primarily because of the features and price-point. More than 15,000 devices are potentially vulnerable.
T1190 – Exploit Public-Facing Application