Zyxel has moved to handle a crucial safety vulnerability affecting Zyxel firewall gadgets that permits unauthenticated and distant attackers to achieve arbitrary code execution.
“A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device,” the corporate mentioned in an advisory printed Thursday.
Cybersecurity agency Rapid7, which found and reported the flaw on April 13, 2022, mentioned that the weak point may allow a distant unauthenticated adversary to execute code because the “nobody” person on impacted home equipment.
Tracked as CVE-2022-30525 (CVSS rating: 9.8), the flaw impacts the next merchandise, with patches launched in model ZLD V5.30 –
- USG FLEX 100(W), 200, 500, 700
- USG FLEX 50(W) / USG20(W)-VPN
- ATP collection, and
- VPN collection
Rapid 7 famous that there are at the very least 16,213 weak Zyxel gadgets uncovered to the web, making it a profitable assault vector for risk actors to stage potential exploitation makes an attempt.
The cybersecurity agency additionally identified that Zyxel silently issued fixes to handle the difficulty on April 28, 2022 with out publishing an related Common Vulnerabilities and Exposures (CVE) identifier or a safety advisory. Zyxel, in its alert, blamed this on a “miscommunication during the disclosure coordination process.”
“Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues,” Rapid7 researcher Jake Baines mentioned.
The advisory comes as Zyxel addressed three totally different points, together with a command injection (CVE-2022-26413), a buffer overflow (CVE-2022-26414), and a neighborhood privilege escalation (CVE-2022-0556) flaw, in its VMG3312-T20A wi-fi router and AP Configurator that might result in arbitrary code execution.