Zyxel silently patches command-injection vulnerability with 9.8 severity rating
Hardware manufacturer Zyxel quietly released an update fixing a critical vulnerability that gives hackers the ability to control tens of thousands of firewall devices remotely.
The vulnerability, which allows remote command injection with no authentication required, carries a severity rating of 9.8 out of a possible 10. It’s easy to exploit by sending simple HTTP or HTTPS requests to affected devices. The requests allow hackers to send commands or open a web shell interface that enables hackers to maintain privileged access over time.
The vulnerability affects a line of firewalls that offer a feature known as zero-touch provisioning. Zyxel markets the devices for use in small branch and corporate headquarter deployments. The devices perform VPN connectivity, SSL inspection, web filtering, intrusion protection, and email security and provide up to 5Gbps throughput through the firewall. The Shodan device search service shows more than 16,000 affected devices are exposed to the Internet.
The vulnerability is tracked as CVE-2022-30525. Rapid7, the security firm that discovered it and privately reported it to Zyxel, said that the VPN series of the devices also supports ZTP, but they’re not vulnerable because they don’t include other required functionality. In an advisory published Thursday, Rapid7 researcher Jake Baines wrote:
