Background
Zyxel sells a range of firewalls and VPN gateways that are popular with small and medium businesses, and particularly common in Europe and Asia-Pacific. The USG Flex and ATP series are enterprise-grade products used as perimeter security devices — they terminate VPN connections, enforce firewall policies, and often sit directly on the internet.
CVE-2022-30525 was discovered by Rapid7 researcher Jake Baines and is a textbook command injection. What makes it notable is how easy it is to exploit — no authentication required, single HTTP request, immediate command execution. Rapid7 disclosed it in April 2022 and published a Metasploit module almost immediately after Zyxel pushed a patch.
Technical Mechanism
Zyxel firewalls expose an administrative web interface that includes a CGI endpoint for various management functions. The /ztp/cgi-bin/handler endpoint handles zero-touch provisioning requests and, critically, does not require authentication.
The vulnerability is in how this endpoint processes certain parameters — specifically the host parameter in certain setWan commands. The value is passed directly to a system command without sanitisation:
POST /ztp/cgi-bin/handler HTTP/1.1
Host: target
Content-Type: application/json
{"command":"setWan","proto":"dhcp6","data":{"MSS":"","mtu":"1500","dial":"","host":";id;echo PWNED"}}The host value is appended to a system call, and shell metacharacters like ; break out of the intended context. The injected commands execute as nobody — not root, but on these devices nobody often has enough permissions to read config files, establish reverse shells, and interact with the underlying Linux system.
Exploitation is a single unauthenticated POST request. From initial contact to RCE takes about five seconds.
Real-World Exploitation Evidence
Rapid7 published their disclosure and Metasploit module on 12 May 2022, and mass exploitation began within days. Key observations:
- Mirai botnet variants — Zyxel devices are common Mirai targets, and this CVE was rapidly integrated into multiple Mirai campaigns to build DDoS botnets
- Cyclops Blink botnet (Sandworm/GRU) — while not directly attributed to this specific CVE, Zyxel devices were a Cyclops Blink target; this CVE expanded the attack surface
- Cryptocurrency mining — multiple campaigns deployed XMRig and similar miners to compromised Zyxel devices
- Initial access brokers — compromised Zyxel devices were being sold on underground forums for network access
Shodan showed thousands of vulnerable devices exposed to the internet at the time of disclosure, with a significant number in the EU and APAC.
Impact Assessment
- Botnet recruitment — affected devices are commonly drafted into DDoS botnets
- Network pivot — a compromised firewall gives attackers visibility into all traffic passing through it; they can pivot to internal network segments
- Configuration access — firewall config contains VPN credentials, pre-shared keys, and network topology information
- Traffic interception — with firewall access, attackers can redirect or inspect traffic
- Persistent access — modified firmware or cron jobs maintain persistence across reboots on some device models
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Zyxel USG Flex 100 | ZLD V5.00–V5.21 Patch 1 | ZLD V5.30 |
| Zyxel USG Flex 200 | ZLD V5.00–V5.21 Patch 1 | ZLD V5.30 |
| Zyxel USG Flex 500 | ZLD V5.00–V5.21 Patch 1 | ZLD V5.30 |
| Zyxel USG Flex 700 | ZLD V5.00–V5.21 Patch 1 | ZLD V5.30 |
| Zyxel ATP Series | ZLD V5.10–V5.21 Patch 1 | ZLD V5.30 |
| Zyxel VPN Series | ZLD V4.60–V5.21 Patch 1 | ZLD V5.30 |
Remediation Steps
- Update firmware to ZLD V5.30 or later via the Zyxel device management portal
- If immediate patching is not possible, disable remote management access from the WAN interface:
- Navigate to Security Policy > Policy Control
- Remove rules permitting access to the management interface from untrusted zones
- Restrict management interface access to specific trusted IP addresses only
- Check for unexpected cron jobs or scripts added to the device:
cat /etc/crontab crontab -l - Review syslog for unexpected POST requests to
/ztp/cgi-bin/handler - Check for unusual outbound connections from the device (it shouldn’t be initiating connections to random external IPs)
Detection Guidance
Web/access logs — search for POST requests to /ztp/cgi-bin/handler from external IPs. Any such request is suspicious since ZTP endpoints shouldn’t be externally accessible.
Firewall logs — look for unexpected outbound connections initiated from the firewall device itself, particularly to ports commonly used for reverse shells (4444, 1234, 443 from device to external).
Suricata signature:
alert http any any -> any $HTTP_PORTS (msg:"Zyxel CVE-2022-30525 Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ztp/cgi-bin/handler"; http.request_body; content:"setWan"; classtype:web-application-attack; sid:2034004; rev:1;)IOCs:
- POST requests to
/ztp/cgi-bin/handlerwith JSON body containing shell metacharacters - Unexpected cron entries on device
- Outbound connections from firewall device to non-configured hosts
Timeline
| Date | Event |
|---|---|
| April 2022 | Rapid7 researcher Jake Baines discovers CVE-2022-30525 |
| 28 April 2022 | Rapid7 notifies Zyxel |
| 12 May 2022 | Zyxel releases ZLD V5.30 patch |
| 12 May 2022 | Rapid7 publishes disclosure and Metasploit module |
| May 2022 | Mass exploitation begins; botnet activity observed within days |
| May 2022 | CISA adds to Known Exploited Vulnerabilities catalogue |