Researchers on Thursday reported that they had found a vulnerability that affects Zyxel firewalls that allows an unauthenticated and remote attacker to launch a remote code execution (RCE).
In a blog post, Rapid7 researchers said they reported the vulnerability – CVE-2022-30525 – on April 13 to Zyxel and the vendor issued a patch some two weeks later.
The vulnerability affects Zyxel firewalls that support zero touch provisioning (ZTP), which includes the ATP series, VPN series and the USG FLEX series, including USG20-VPN and USG20W-VPN.
While a fairly remedial vulnerability, Casey Ellis, founder and CTO of Bugcrowd, said it’s one that does have a tendency to turn up on networking and embedded equipment. Ellis said despite command injection being a well-known and avoidable vulnerability, it continues to show up on the internet.
“This highlights the continued need for assurance and coverage of code and systems by security researchers and those who ‘think differently’ from the developers of these products and have the ability to catch what may have been missed,” Ellis said.
John Bambenek, principal threat hunter at Netenrich, added that addition to this vulnerability allowing remote code execution, the devices tend to cater to small-to-medium businesses.
“These organizations are likely in no position to know there’s a vulnerability, much less have someone they can ask to patch it,” said Bambenek.