Researchers, NSA cybersecurity director warn of hackers targeting Zyxel vulnerability


Hackers are exploiting a widespread, critical vulnerability that affects the Zyxel firewall, according to several researchers and the director of cyber security for the NSA.

The non-profit Cyber ​​Security Foundation Shadowserver Foundation said it had begun noticing exploitation attempts starting May 13th. CVE-2022-30525 was first discovered by cybersecurity firm Rapid7, and firewalls affected by vulnerabilities are also sold to small companies and corporate headquarters. The tools are used for VPN solutions, SSL inspection, web filtering, intrusion protection and email security.

The vulnerability allows attackers to modify certain files and then execute some OS commands on the vulnerable device. It has a CVSS v3 score of 9.8 – indicating high severity – and affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series and USG FLEX series.

Netanrich’s main threat hunter, John Bambenek, noted that the devices tend to serve small and medium-sized businesses.

“These organizations are most likely not in a position to know that there is a vulnerability, much less to have an expert they can ask to fix it,” Bambenek said.

Bugcrowd founder Casey Ellis told The Record that while the vulnerability is fairly fixable, it “tends to show up on networking and embedded equipment.”

Despite the fact that command injection is well known and avoidable, it still appears and has an impact on the Internet, ”Ellis said. “This demonstrates the continuing need to secure and cover code and systems by security researchers and those who ‘think differently’ from the developers of these products and have the ability to capture what may have been missed.”

Instances displayed via Shodan search.

Shadowserver said it has found even more systems that could be vulnerable.

“We see that at least 20,800 potentially affected Zyxel firewall models (per unique IP address) are available on the Internet. The most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the models affected by CVE-2022-30525 are in the EU – France (4.5K) and Italy (4.4K) “, explained Shadowserver.

Zyxel patched up the vulnerability after it was discovered in April. But on Sunday morning, NSA Cyber ​​Security Director Rob Joyce confirmed that the vulnerability is being exploited in the wild.

Rapid7 has also had a lot of criticism for how Zyxel solved the vulnerability. After notifying the company of the problem and proposing a coordinated release date in June, Zyxel instead released patches to fix the problem on April 28th.

“Zyxel has not released an associated CVE or safety advice. On May 9, Rapid7 independently discovered Zyxel’s uncoordinated discovery. The seller then reserved CVE-2022-30525. “This release of the patch is tantamount to publishing details about the vulnerability, as attackers and researchers can trivially undo the patch to find out the exact details of the exploitation, while defenders rarely try to do so,” the company explained.

“Therefore, we are publishing this discovery early to help defenders detect exploitation and help them decide when to apply this correction in their environment, in line with their risk tolerances. In other words, quietly patching vulnerabilities only helps active attackers, leaving defenders in the dark about the real risk of newfound problems. ”

In the patch document, Zyxel only said that there was a “wrong communication” with Rapid7 and did not respond to requests for comment.

Jonathan has worked as a journalist around the world since 2014. Before returning to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cyber security on ZDNet and TechRepublic.

Comments are closed.