Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

Zyxel firewalls are under active cyberattack after a critical security vulnerability was disclosed last week that could allow unauthenticated, remote arbitrary code execution.

The bug (CVE-2022-30525, CVSS 9.8) was silently patched in April, but no public disclosure was made until last Thursday, May 12, when Rapid7 released a technical report on the issue. It also debuted a working proof-of-concept exploit that clearly snagged the attention of the bad-actor set: Just one day later, in-the-wild attacks started.

Zyxel’s ATP, VPN, and USG FLEX series business firewalls are affected. Shadowserver identified nearly 21,000 potentially vulnerable devices hanging around as of Sunday, prompting US National Security Agency cyber director Rob Joyce to issue a call-to-patch tweet.

The vulnerability can be triggered via a device’s HTTP interface to open a reverse shell and allow code execution as the “nobody” user. The nobody user is less privileged than actual user accounts, but a successful attack could still allow a nefarious type to "modify specific files and then execute some OS commands on a vulnerable device," Zyxel warned. In a worst-case scenario, attackers could potentially gain control of the host operating system, disabling the firewall and opening the network to follow-on attacks.