Rapid7 researchers recently discovered a very critical vulnerability in several of Zyxel’s firewalls. The vulnerability makes it possible to open firewalls by remotely command injection through the firewalls management interface.
According to the security specialist, the major vulnerability of the discovered exploit CVE-2022-30525 lies in the simplicity with which it can be applied. Hackers can easily execute a command injection through the HTTP interface of the affected firewalls. The commands are executed as the so-called ‘nobody’ user. An attack uses the /ztp/cgi-bin/handler URI of the firewalls.
The simplicity with which this vulnerability can be used is mainly because no authentication is required and it can also be abused in the standard configuration of the vulnerable devices. In this way, tens of thousands of devices worldwide can be taken over remotely.
Multiple appliances affected
Rapid7 found that several Zyxel devices are affected by the vulnerability.
According to the researchers, these devices have so-called zero-touch provisioning functionality (ZTP). This functionality is exploited by the found vulnerability. The affected Zyxel devices are especially suitable for smaller companies and corporate offices. They offer VPN connectivity, SSL inspection, web filtering, intrusion protection and email security. The firewalls can handle up to 5 Gbps of data traffic.
Firmware update fixes issue
Zyxel has since quietly rolled out a firmware update that resolves the vulnerability. Users of the mentioned models are urged to install the firmware update as soon as possible.