Do you use a Zyxel firewall?  If so, there’s good news.  The company has fixed an issue you may not have even been aware that you had.

The company pushed out the fix in a silent update a little over two weeks ago, but when they implemented the push, they didn’t provide many details about it.  More of those details are emerging now.

Security researchers at Rapid7 discovered a critical security flaw, now being tracked as CVE-2022030525, which is listed as being a severity 9.8 (critical) issue.

The flaw is described as an unauthenticated remote command injection issue, via the HTTP interface.  It impacts all Zyxel firewalls that support Zero Touch Provisioning running firmware versions ZLD5.00 to ZLD5.21 Patch 1.

The following models are specifically impacted:

• USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below
• USG20-VPN and USG20W-VPN using firmware 5.21 and below
• And ATP 100, 200, 500, 700, 800 using firmware 5.21 and below

According to the company, these products are most commonly found in smaller branch offices and corporate headquarters for SSL inspection, VPN, web filtering, email security, and intrusion protection.

Per the Rapid7 report given to Zyxel on April 13, 2022:

“Commands are executed as the “nobody” user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py.

The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.”

For their part, Zyxel moved very quickly on the issue.  They initially promised to release a fix by June 2022, but quietly pushed out the patch on April 28th, 2022 without supplying a security advisory or other technical details.

We’re not sure why that decision was made, but we’re very pleased to gain access to those details now. Kudos to Zyxel for their rapid response!