CISA KEV 정보
| 취약점명 | Zyxel Multiple Firewalls OS Command Injection Vulnerability |
|---|---|
| 설명 | A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-78 |
| 등록일 (KEV) | 2022-05-16 |
| 조치 기한 | 2022-06-06 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2022-30525 |
NVD 상세 정보
CVSS v3.1: 9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVSS v2.0: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C설명: A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
CWE: CWE-78 | CWE-78
참조
- http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html [Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html [Exploit, Third Party Advisory]
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml [Vendor Advisory]
- http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html [Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html [Exploit, Third Party Advisory]
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml [Vendor Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30525 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.