Nasty Zyxel remote execution bug is being exploited

Written by , APAC Editor Chris Duckett APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user.

The programming issue was not sanitising input, with two fields passed to a CGI handler being fed into system calls. The impacted models were its VPN and ATP series, and USG 100(W), 200, 500, 700, and Flex 50(W)/USG20(W)-VPN.

At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800.

“Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K),” it tweeted.

The Foundation also

Read More: