Home / Threat Intelligence bulletins / Zyxel firewalls under active exploitation

Update: 12th September 2022 4pm (GMT) 

Threat researchers have reported an increase in scanning for vulnerable Zyxel firewalls. The critical vulnerability (CVE-2022-30525), an OS command injection vulnerability in the CGI programme, was first  reported in May 

Exploited devices have Mirai installed on them and are then used to brute-force telnet servers around the world. 

Updated Indicators of Compromise 

  • salanes.com 

Updated Mitre Methodologies

T1423 - Network Service Scanning 

T1016 - System Network Configuration Discovery 

Further Information

Malicious Mirai 5b6ffa2b728b5c0a2d2b5a1b690882c3 – Intezer 

19th May 2022


Network administrators are being urged to patch Zyxel firewalls to address a critical vulnerability (CVE-2022-30525). The vulnerability has been seen under active exploitation and allows remote code execution (RCE) via an HTTP request of the devices.


An unauthenticated remote attacker can run commands on a firewall exposed to the internet.

Vulnerability Detection

A researcher, BlueNinja, has published detection logic for exploitation attempts on GitHub. This will produce a lot of noise if enabled for external-facing devices.

Affected Products

Firmware ZLD5.00 up to ZLD5.21 Patch 1 in the following devices:

  • USG FLEX 100, 100W, 200, 500, 700
  • ATP 100, 200, 500, 700, 800

The VPN series is not affected.

Containment, Mitigations & Remediations

Administrators are being urged to patch the critical flaw immediately.

Indicators of Compromise

None listed.

Threat Landscape

This is under active exploitation and a Metasploit module has been released, making exploitation trivial. Zyxel firewalls are used mostly amongst small- to medium-sized enterprises primarily because of the features and price-point. More than 15,000 devices are potentially vulnerable.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Zyxel Firewall Unauthenticated Remote Command Injection