Zyxel security advisory for OS command injection vulnerability of firewalls

CVE: CVE-2022-30525



Zyxel has released patches for an OS command injection vulnerability found by Rapid 7 and urges users to install them for optimal protection.


What is the vulnerability?

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.


What versions are vulnerable-and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.

Affected model Affected firmware version Patch availability
USG FLEX 100(W), 200, 500, 700 ZLD V5.00 through ZLD V5.21 Patch 1 ZLD V5.30
USG FLEX 50(W) / USG20(W)-VPN ZLD V5.10 through ZLD V5.21 Patch 1 ZLD V5.30
ATP series ZLD V5.10 through ZLD V5.21 Patch 1 ZLD V5.30
VPN series ZLD V4.60 through ZLD V5.21 Patch 1 ZLD V5.30

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.


Acknowledgment and commentary

Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination process with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters.


Revision history

2022-05-12: Initial release