CVE-2022-30525 Detection: Critical Vulnerability Allows for Command Injection Attacks

A newly discovered bug in Zyxel products endangers tens of thousands of users in Europe and the U.S. The critical vulnerability affecting Zyxel’s ATP series, VPN series, and USG FLEX series business firewalls is tracked as CVE-2022-30525, with a severity score of 9.8 CVSS. The vulnerability paves the way for hackers to execute arbitrary code without prior authentication on the compromised device. 

Detect CVE-2022-30525

To timely identify possible system breaches through the exploitation of the CVE-2022-30525 flaw, download Sigma rules developed by seasoned Threat Bounty developers Kaan Yeniyol and Nattatorn Chuensangarun to timely spot suspicious behaviors and patterns:

Possible Initial Access by Exploitation of Zyxel Firewall Unauthenticated Remote Command Injection [CVE-2022-30525] (via proxy)

Possible Initial Access by Exploitation of Zyxel Firewall Unauthenticated Remote Command Injection [CVE-2022-30525] (via webserver)

Security researchers and threat hunters can leverage SOC Prime’s rich library of detection content to improve their security visibility and level up hunting routines. Enthusiastic about crafting detection content and sharing it with the community of 23,000+ security professionals? Join our Threat Bounty Program!

View Detections Join Threat Bounty

CVE-2022-30525 Description

Rapid7’s security researcher Jake Baines released an advisory regarding the CVE-2022-30525, elucidating the details on this critical bug in Zyxel firewall and VPN products. The bug allows for a remote command injection with inadequate or no prior authentication upon threat actors launching attacks via a compromised device’s HTTP interface.

Zyxel released a necessary bug fix in April yet failed to timely notify users about this flaw in their firewall products. The research team from Rapid7 addressed the issue publicly on May 12, 2022, with more exploitation cases building up. Researchers report that adversaries leverage vulnerability CVE-2022-30525 to execute arbitrary commands and compromise internal networks.

Taking into account the number of Zyxel devices that became soft targets due to this vulnerability (over 20,000), as well as the fact that the vendor advertises those products for corporate needs, users are urged to take immediate action, or they would have to face the music over those security holes very soon.

Explore the SOC Prime platform to open new horizons in your professional development in the security industry. Instantly hunt for the latest threats within 25+ supported EDR, SIEM, & XDR technologies, boost the awareness of all the latest attacks, map detections to MITRE ATT&CK, enhance resilience to evolving threats, and streamline your SOC operations.