CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2022-30525

CVSS 9.8v3.1pub. 2022-05-12upd. 2025-10-27

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zyxel Atp100

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp100 Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Atp100w

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp100w Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Atp200

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp200 Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Atp500

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp500 Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Atp700

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp700 Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Atp800

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp800 Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Usg20w Vpn

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg20w Vpn Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Usg Flex 100w

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg Flex 100w Firmware

    OS
    Zyxel
    5.00 – 5.30 (bez)
  • Zyxel Usg Flex 200

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg Flex 200 Firmware

    OS
    Zyxel
    5.00 – 5.30 (bez)
  • Zyxel Usg Flex 500

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg Flex 500 Firmware

    OS
    Zyxel
    5.00 – 5.30
  • Zyxel Usg Flex 50w

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg Flex 50w Firmware

    OS
    Zyxel
    5.10 – 5.30 (bez)
  • Zyxel Usg Flex 700

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg Flex 700 Firmware

    OS
    Zyxel
    5.00 – 5.30 (bez)
  • Zyxel Vpn100

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vpn1000

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vpn1000 Firmware

    OS
    Zyxel
    4.60 – 5.30 (bez)
  • Zyxel Vpn100 Firmware

    OS
    Zyxel
    4.60 – 5.30 (bez)
  • Zyxel Vpn300

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vpn300 Firmware

    OS
    Zyxel
    4.60 – 5.30 (bez)

CISA KEV — detailsi

Vendori
Zyxel
Producti
Multiple Firewalls
Added to KEVi
May 16, 2022
Remediation deadline (US Federal)i
June 6, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 6 czerwca 2022
Tags
VPNCommand Injection
CWE
References

Related vulnerabilities

CVE-2023-33009CRITICAL9.8⚠ KEVten sam produkt

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 throug...

CVE-2023-33010CRITICAL9.8⚠ KEVten sam produkt

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 throu...

CVE-2023-28771CRITICAL9.8⚠ KEVten sam produkt

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series fir...

CVE-2020-29583CRITICAL9.8⚠ KEVten sam produkt

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable passw...

CVE-2020-9054CRITICAL9.8⚠ KEVten sam produkt

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...