Critical bug in Zyxel firewalls and VPNs

Reference:
Advisory #2022-0014

Version:
1.0

Affected software:
ATP series running firmware ZLD V5.10 through ZLD V5.21 Patch 1
USG FLEX 100(W), 200, 500, 700 running firmware ZLD V5.00 through ZLD V5.21 Patch 1
USG FLEX 50(W) / USG20(W)-VPN running firmware ZLD V5.10 through ZLD V5.21 Patch 1
VPN series running firmware ZLD V4.60 through ZLD V5.21 Patch 1

Type:
Unauthenticated Remote Command Execution (RCE)

CVE/CVSS:
CVE-2022-30525 (CVSS 9.8)

Sources

Official Manufacturer: https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
NVD: NVD - CVE-2022-30525 (nist.gov)

Risks

Firewall products are used to protect the internal network infrastructure and keep attackers out of the internal network.
Attackers are actively exploiting this critical vulnerability in order to gain access to systems and use the VPN and Firewall products as initial access points into the internal network.

Access can be used or sold afterwards for espionage, data exfiltration, ransomware, and other high-impact attacks.

Description

Successful exploitation allows a remote attacker to inject arbitrary commands without authentication, which can enable the attacker to gain access on the system and move laterally to the rest of the network.

Recommended Actions

CERT.be recommends upgrading Zyxel device firmware to version "ZLD V5.30".

CERT.be recommends using Two-Factor Authentication (2FA) protection for admin and VPN connections configured on these devices.

References

Manufacturer:

• Zyxel security advisory for OS command injection vulnerability of firewalls

Mitre:

• CVE - CVE-2022-30525

NVD: 

• NVD - CVE-2022-30525

Other: 

• Hackers are exploiting critical bug in Zyxel firewalls and VPNs (bleepingcomputer.com)
• https://www.securityweek.com/zyxel-firewall-vulnerability-exploitation-attempts-seen-one-day-after-disclosure