Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

Just one day after disclosure, cyberattackers are actively going after the command-injection/code-execution vulnerability in Zyxel's gear.

Source: the lightwriter via Alamy Stock Photo

Zyxel firewalls are under active cyberattack after a critical security vulnerability was disclosed last week that could allow unauthenticated, remote arbitrary code execution.

The bug (CVE-2022-30525, CVSS 9.8) was silently patched in April, but no public disclosure was made until last Thursday, May 12, when Rapid7 released a technical report on the issue. It also debuted a working proof-of-concept exploit that clearly snagged the attention of the bad-actor set: Just one day later, in-the-wild attacks started.

Zyxel’s ATP, VPN, and USG FLEX series business firewalls are affected. Shadowserver identified nearly 21,000 potentially vulnerable devices hanging around as of Sunday, prompting US National Security Agency cyber director Rob Joyce to issue a call-to-patch tweet.

The vulnerability can be triggered via a device’s HTTP interface to open a reverse shell and allow code execution as the “nobody” user. The nobody user is less privileged than actual user accounts, but a successful attack could still allow a nefarious type to "modify specific files and then execute some OS commands on a vulnerable device," Zyxel warned. In a worst-case scenario, attackers could potentially gain control of the host operating system, disabling the firewall and opening the network to follow-on attacks.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights