May 15, 2022
Zyxel Patches a Critical Firewall Vulnerability
Zyxel has released a security advisory addressing a critical unauthenticated remote command Injection vulnerability affecting several firewall models.
- CVE-2022-30525 (CVSS:9.8 – critical) – An unauthenticated remote command injection via the HTTP interface vulnerability, affecting Zyxel firewalls supporting Zero Touch Provisioning (ZTP).
Successful Exploitation could allow an attacker to gain full access to devices and the internal corporate networks.
The following Zyxel firewall series are affected:
- ‘USG FLEX’ – 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
- ‘USG20-VPN’ and ‘USG20W-VPN’ using firmware 5.21 and below.
- ATP 100, 200, 500, 700, 800 using firmware 5.21 and below.
CYREBRO recommends updating all affected products to the latest version – ZLD V5.30.
References: Zyxel Advisory