CVE-2022-30525 Information

Description

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1 USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1 USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1 USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1 USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1 USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1 ATP series firmware versions 5.10 through 5.21 Patch 1 VPN series firmware versions 4.60 through 5.21 Patch 1 which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8