Zyxel’s ATP, VPN, and USG FLEX series business firewalls are affected by a Remote Code Execution (RCE) vulnerability that allows unauthenticated malicious attackers to execute arbitrary commands on the affected devices. Over 20,800 devices have been affected by this vulnerability, with many of which are prevalent in France and Italy. Barracuda MSP recommends applying the latest patches to these firewalls to mitigate the vulnerability.
Technical Detail & Additional Information
What is the threat?
Known as CVE-2022-30525, the vulnerability is exploited through a device’s HTTP interface to gain a reverse shell. The threat actor can then remotely execute commands as the “nobody” user on devices utilizing these firewalls without providing any form of authentication. Once the threat actors are in, they can then move laterally through the network and attempt to gain control of the host operating system to disable the firewall and begin a barrage of additional attacks.
Why is it noteworthy?
The Common Vulnerability Scoring System (CVSS) for this vulnerability is at a critical value of 9.8. While many affected Zyxel customers are found in France and Italy, these firewalls have been installed on many devices around the globe. The firewalls are advertised for both small and large corporations, therefore creating the opportunity for attackers to execute their attack once they have identified the vulnerable devices, which are publicly accessible.
What is the exposure or risk?
This vulnerability can lead the attacker to compromise affected devices and pivot inside the victim’s internal network. The attacker can easily their reach to internal systems that are not exposed to the internet and compromise of proprietary or confidential information related to the victim or any customers that they may serve.
What are the recommendations?
Barracuda MSP recommends installing the security update released by Zyxel as soon as possible. It is recommended to enable automatic firmware updates and disable WAN access to the administrative web interface of the system. The following Zyxel firewall models are affected:
- USG FLEX 100, 100W, 200, 500, 700
- USG20-VPN, USG20W-VPN
- ATP 100, 200, 500, 700, 800
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
- https://www.darkreading.com/risk/zyxel-firewalls-active-attack-poc-exploit-debut?utm_content=bufferd8db6&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
- https://www.zdnet.com/article/nasty-zyxel-remote-execution-bug-is-being-exploited/
- https://thehackernews.com/2022/05/watch-out-hackers-begin-exploiting.html
- https://duo.com/decipher/exploitation-attempts-start-for-zyxel-rce-bug
If you have any questions, please contact our Security Operations Center.
