Customers of a popular firewall manufacturer are being urged to patch a critical vulnerability fixed by the vendor back in April, after researchers warned of in-the-wild exploits.
Zyxel updated its ATP series, VPN series, and USG FLEX series of products on April 28 after Rapid7 discovered and responsibly disclosed CVE-2022-30525.
The bug “allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device,” according to a lead security researcher at the firm, Jake Baines.
“The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the nobody user,” he continued.
“This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py. The vulnerable functionality is invoked in association with the setWanPortSt command. An attacker can inject arbitrary commands into the mtu or the data parameter.”
Over the weekend, non-profit security organization the Shadowserver Foundation tweeted that it began seeing exploitation attempts on Friday.
No tags.
