Customers of a popular firewall manufacturer are being urged to patch a critical vulnerability fixed by the vendor back in April, after researchers warned of in-the-wild exploits.
Zyxel updated its ATP series, VPN series, and USG FLEX series of products on April 28 after Rapid7 discovered and responsibly disclosed CVE-2022-30525.
The bug “allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device,” according to a lead security researcher at the firm, Jake Baines.
“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user,” he continued.
“This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py. The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.”
Over the weekend, non-profit security organization the Shadowserver Foundation tweeted that it began seeing exploitation attempts on Friday.
We see at least 20 800 of the potentially affected Zyxel firewall models (by unique IP) accessible on the Internet. Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs).
— Shadowserver (@Shadowserver) May 15, 2022
Most of the CVE-2022-30525 affected models are in the EU - France (4.5K) and Italy (4.4K). pic.twitter.com/Wh7I8JCvVv
“We see at least 20,800 of the potentially affected Zyxel firewall models (by unique IP) accessible on the internet. Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs),” it explained. “Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K).”
According to Shadowserver, the next most common locations for exposed Zyxel firewalls are the US (2400), followed by Switzerland (1700) and Russia (854).
However, despite Rapid7’s responsible disclosure of the vulnerability, there appears to have been a communication breakdown with the Taiwanese firewall manufacturer after that.
In fact, Zyxel released a patch in late April without coordinating with the researchers, publishing an advisory or reserving a CVE. Rapid7 believes this may have unwittingly aided threat actors.
“This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this,” argued Baines.
“Therefore, we’re releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.”