Zyxel firewalls with critical vulnerability CVE-2022-30525 – patch urgently

Sicherheit (Pexels, allgemeine Nutzung)[German]In addition to the vulnerabilities in F5 BIG-IP network devices mentioned in the blog post Destructive attacks via critical F5 BIG-IP vulnerability, Zyxel is also dealing with an Unauthenticated Remote Command Injection vulnerability CVE-2022-30525 in its firewalls. Operators of corresponding Zyxel firewalls should immediately install the provided updates to close the serious vulnerability.


The Internet Storm Center (SANS ISC) points out in the following tweet not only the Intel and HP BIOS updates mentioned in the blog post BIOS updates fix critical vulnerabilities in HP's business and consumer models and Intel CPUs (May 2022). It also mentions a Zyxel RCE vulnerability in their firewalls, which is described in more detail by rapid7 in this post.

Zyxel RCE Vulnerability

Rapid7 has already encountered a security vulnerability in April 2022 that affects various Zyxel firewall models that support Zero Touch Provisioning (ZTP). These include the ATP series, VPN series, and USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability CVE-2022-30525 allows an unauthenticated attacker to remotely execute arbitrary code on the affected device as a nobody user. The rapid7 post describes the details of the vulnerability in detail. The following models are affected, with the Shodan search engine reporting around 17,000 vulnerable devices:

Affected Model Affected Firmware Version
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 thru ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 thru ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800 ZLD5.10 thru ZLD5.21 Patch 1

The VPN series, which also supports ZTP, is not vulnerable because it does not support the required functionality. Zyxel released this advisory on May 12, 2022 with more information on affected models and available updates. The ZLD V5.30 update, which was probably deployed on May 9, 2022, is expected to fix the vulnerability. Thanks to the blog readers who also pointed out the issue in comments and by mail.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.