May 15, 2022 

Zyxel Patches a Critical Firewall Vulnerability

Zyxel has released a security advisory addressing a critical unauthenticated remote command Injection vulnerability affecting several firewall models. 

The Vulnerability

• CVE-2022-30525 (CVSS:9.8 – critical) – An unauthenticated remote command injection via the HTTP interface vulnerability, affecting Zyxel firewalls supporting Zero Touch Provisioning (ZTP).
  Successful Exploitation could allow an attacker to gain full access to devices and the internal corporate networks. 

Vulnerable Products

The following Zyxel firewall series are affected: 

• ‘USG FLEX’ – 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below 
• ‘USG20-VPN’ and ‘USG20W-VPN’ using firmware 5.21 and below. 
• ATP 100, 200, 500, 700, 800 using firmware 5.21 and below. 

Mitigation

CYREBRO recommends updating all affected products to the latest version – ZLD V5.30.  

References: Zyxel Advisory