What is CVE-2022-30525?

CVE-2022-30525 is a critical-severity vulnerability in Zyxel Atp Series Firmware, classified under OS Command Injection. CVSS score: 9.8/10. Published 2022-05-12.

How severe is CVE-2022-30525?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2022-30525 known to be exploited?

Yes. CVE-2022-30525 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-05-16), indicating it is being actively exploited. 73 public proof-of-concept repositories are indexed.

RCE in Zyxel Atp Series Firmware

CVE-2022-30525

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Zyxel Atp Series Firmware — versions 5.10 through 5.21 Patch 1
Zyxel Usg 20(w)-vpn Firmware — versions 5.10 through 5.21 Patch 1
Zyxel Usg Flex 100(w) Firmware — versions 5.00 through 5.21 Patch 1
Zyxel Usg Flex 200 Firmware — versions 5.00 through 5.21 Patch 1
Zyxel Usg Flex 500 Firmware — versions 5.00 through 5.21 Patch 1
Zyxel Usg Flex 50(w) Firmware — versions 5.10 through 5.21 Patch 1
Zyxel Usg Flex 700 Firmware — versions 5.00 through 5.21 Patch 1
Zyxel Vpn Series Firmware — versions 4.60 through 5.21 Patch 1

Weakness classification (CWE)

CWE-78 — OS Command Injection

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-05-16. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-06-06.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerab… (x_refsource_CONFIRM)
packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html (x_refsource_MISC)
packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command… (x_refsource_MISC)
packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html (x_refsource_MISC)
packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escal… (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-30525?: CVE-2022-30525 is a critical-severity vulnerability in Zyxel Atp Series Firmware, classified under OS Command Injection. CVSS score: 9.8/10. Published 2022-05-12.
How severe is CVE-2022-30525?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2022-30525 known to be exploited?: Yes. CVE-2022-30525 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-05-16), indicating it is being actively exploited. 73 public proof-of-concept repositories are indexed.