Update -- Security researchers and U.S. government officials are urging businesses to apply patches for a serious remote code execution bug in Zyxel firewall products, after exploitation attempts for the flaw were observed.
The vulnerability (CVE-2022-30525), which has a 9.8 CVSS severity score, impacts a number of Zyxel firewall product line models that are targeted for businesses, ranging from small branch to corporate headquarter deployments. While Zyxel previously released patches in April, the flaw is easy to exploit - an attacker could be unauthenticated and remote - and one day after the flaw’s May 12 public disclosure, researchers with the Shadowserver Foundation said they started seeing exploitation attempts.
"In this case what we were seeing were multiple IPs that were executing callbacks, but we did not see malware dropped," said Piotr Kijewski with the Shadowserver Foundation on Wednesday. "Now we are seeing lots of scans for the Zyxel endpoint URI, with no exploitation."
Jake Baines, lead security researcher with Rapid7, who discovered the flaw, said the impact and consequences of the vulnerability “can be quite dire” depending on how far into the internal network the Zyxel firewall can reach.
“The Zxyel firewalls affected by CVE-2022-30525 are what we typically refer to as ‘network pivot,’” said Baines. “Exploitation of CVE-2022-30525 will likely allow an attacker to establish a foothold in the victim’s internal network. From that foothold, the attacker can attack (or pivot to) internal systems that otherwise would not be exposed to the internet.”
The impacted models are vulnerable to an unauthenticated remote command injection, where attackers can leverage the administrative HTTP interface to execute commands as the ‘nobody’ user, which can allow them to establish a reverse shell.
"Exploitation of CVE-2022-30525 will likely allow an attacker to establish a foothold in the victim’s internal network."
The impacted Zyxel firewall products support zero touch provisioning, which is a feature for setting up devices that provisions them to the network automatically. The flaw stems from a specific feature within the zero touch provisioning implementation, which is a command called “setWanPortSt” that enables the remote provision to alter the IP settings of the firewall’s ports, said Baines.
“This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py,” according to Baines in an analysis. “The vulnerable functionality is invoked in association with the setWanPortSt command.”
Impacted firewall models include certain firmware versions of the USG Flex 100, 100W, 200, 500 and 700; the USG20-VPN and USG20W-VPN; and the APT 100, 200, 500, 700 and 800. The VPN series, which supports zero touch provisioning, is not vulnerable because it does not support the “setWanPortSt” command, according to Baines.
According to the Shadowserver Foundation, as of Sunday at least 20,800 potentially impacted Zyxel devices are accessible on the Internet, including 2,400 in the U.S. The majority of these affected models are in the EU, including 4,500 models in France and 4,400 in Italy. Researchers with Rapid7 pointed to more than 15,000 models visible on Shodan.
After Baines first discovered and disclosed the flaw to Zyxel in April, Zyxel released patches on April 28. On Thursday of last week, both Rapid7’s disclosure bulletin and a security advisory from Zyxel were released.
No further information has been revealed by the Shadowserver Foundation on the extent or specifics of observed exploitation attempts. Rapid7 researchers, meanwhile, said that they have not yet observed exploitation in the wild as of Monday, however, they said they continue to actively monitor the situation.
NSA director of cybersecurity Rob Joyce urged organizations to check their Zyxel firewall versions to see if they are impacted and to apply patches. Researchers with Rapid7 also recommended that businesses enable automatic firmware updates if possible, and disable WAN access to the administrative web interface of the system.
This article was updated on May 18 to add new comments from the Shadowserver Foundation.