CVE-2022-30525 — CRITICAL (9.8)

Q: How severe is CVE-2022-30525?

CVE-2022-30525 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-30525?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Usg Flex 100W Firmware, Zyxel Usg Flex 100W, Zyxel Usg Flex 200 Firmware, Zyxel Usg Flex 200, Zyxel Usg Flex 500 Firmware.

Vulnerability Description

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Zyxel	Usg Flex 100W Firmware	>= 5.00, < 5.30
Zyxel	Usg Flex 100W	-
Zyxel	Usg Flex 200 Firmware	>= 5.00, < 5.30
Zyxel	Usg Flex 200	-
Zyxel	Usg Flex 500 Firmware	>= 5.00, <= 5.30
Zyxel	Usg Flex 500	-
Zyxel	Usg Flex 700 Firmware	>= 5.00, < 5.30
Zyxel	Usg Flex 700	-
Zyxel	Vpn100 Firmware	>= 4.60, < 5.30
Zyxel	Vpn100	-
Zyxel	Vpn1000 Firmware	>= 4.60, < 5.30
Zyxel	Vpn1000	-
Zyxel	Vpn300 Firmware	>= 4.60, < 5.30
Zyxel	Vpn300	-
Zyxel	Vpn50 Firmware	>= 4.60, < 5.30
Zyxel	Vpn50	-
Zyxel	Atp100 Firmware	>= 5.10, < 5.30
Zyxel	Atp100	-
Zyxel	Atp100W Firmware	>= 5.10, < 5.30
Zyxel	Atp100W	-

Related Weaknesses (CWE)

CWE-78

References

http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.htmlThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-CExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-InjectioExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-PrivilegeExploitThird Party Advisory
https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vVendor Advisory
http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.htmlThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-CExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-InjectioExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-PrivilegeExploitThird Party Advisory
https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-US Government Resource

FAQ

What is CVE-2022-30525?

CVE-2022-30525 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 fir...

How severe is CVE-2022-30525?

CVE-2022-30525 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-30525?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Usg Flex 100W Firmware, Zyxel Usg Flex 100W, Zyxel Usg Flex 200 Firmware, Zyxel Usg Flex 200, Zyxel Usg Flex 500 Firmware.