Zyxel has patched a serious flaw plaguing Zyxel firewall devices, which allows unauthenticated and remote attackers to execute code arbitrarily. 

“A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device,” the company said in an advisory published Thursday.

Rapid7, a cybersecurity firm that discovered and reported the flaw on April 13, 2022, said that the flaw could allow an unauthenticated remote attacker to execute code as the “nobody” user on affected appliances.

Labelled CVE-2022-30525 (CVSS score: 9.8), the flaw affects the following products, with patches released in version ZLD V5.30 –

  • USG FLEX 100(W), 200, 500, 700
  • USG FLEX 50(W) / USG20(W)-VPN
  • ATP series, and
  • VPN series

Rapid 7 says at least 16, 213 Zyxel devices are internet-facing, which makes the devices an easy target attack vector for threat actors.

The cybersecurity firm also drew attention to Zyxel’s fixing the issues quietly, avoiding publishing an associated Common Vulnerabilities and Exposures (CVE) identifier or a security advisory. Zyxel, in its alert, blamed this on a “miscommunication during the disclosure coordination process.”

“Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues,” Rapid7 researcher Jake Baines said.

The advisory comes in the background of Zyxel patching three different issues, including a command injection (CVE-2022-26413), a buffer overflow (CVE-2022-26414), and a local privilege escalation (CVE-2022-0556) flaw, in its VMG3312-T20A wireless router and AP Configurator that could result in arbitrary code execution.