Hackers have begun exploiting a newly fixed severe vulnerability, CVE-2022-30525, affecting Zyxel firewall and VPN equipment for enterprises. Successful exploitation lets a remote attacker inject arbitrary commands without authentication, allowing a reverse shell to be set up.
A principal security researcher at Rapid7, Jacob Baines, uncovered the problem and outlined how it might be exploited in an attack in a concise technical paper. The Metasploit penetration testing framework now offers a module.
“Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py,” said Jacob Baines.
According to the researcher, an attacker may build a reverse shell using the regular bash GTFOBin. On May 12, Zyxel issued a security warning for CVE-2022-30525 (CSS score of 9.8), advising administrators to install the latest updates and stating that a fix had been available for the affected devices.
Because of the seriousness of the security flaw and the potential impact, NSA Cybersecurity Director Rob Joyce has issued a warning to users regarding exploitation and encouraged them to upgrade their device firmware version if it is susceptible. According to security specialists from the nonprofit Shadowserver Foundation, CVE-2022-30525 has been the target of exploitation efforts since Friday the 13th.
It’s unclear whether these attempts are malevolent or simply researchers mapping out Zyxel devices vulnerable to adversary cyberattacks. Using the Shodan search portal for internet-connected electronics, Rapid7 scoured the internet for susceptible Zyxel products and discovered over 15,000 of them. Shadowserver analyzed and found that the vulnerability affects at least 20,800 Zyxel firewall devices on the open web.
According to the organization, more than 15,000 devices were USG20-VPN and USG20W-VPN versions, meant for “VPN connections across the branch offices and chain stores.” The European Union has the most potentially susceptible devices, with France and Italy having the highest number. Security experts have provided code that should assist admins in discovering the security hole and exploitation efforts, given the severity of the vulnerability and the ubiquity of the devices.
z3r00t, a member of Telefónica’s redteam, developed and released a template for the Nuclei vulnerability scanning solution to find CVE-2022-30525. The author’s GitHub repository contains the template. Another researcher, BlueNinja, uploaded a script on GitHub that detects unauthenticated remote command injection in Zyxel firewall and VPN systems.