CVE-2022-30526

Q: What is the severity of CVE-2022-30526?

CVE-2022-30526 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in Zyxel firewall CLI commands where a local attacker can execute OS commands with root privileges in specific directories. It affects multiple Zyxel firewall product lines running vulnerable firmware versions. Attackers with local access can gain full system control.

7.8 HIGH

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Zyxel firewall CLI commands where a local attacker can execute OS commands with root privileges in specific directories. It affects multiple Zyxel firewall product lines running vulnerable firmware versions. Attackers with local access can gain full system control.

💻 Affected Systems

Products:

Zyxel USG FLEX 100(W)
USG FLEX 200
USG FLEX 500
USG FLEX 700
USG FLEX 50(W)
USG20(W)-VPN
ATP series
VPN series
USG/ZyWALL series

Versions: Multiple version ranges: 4.09-4.72 for USG/ZyWALL, 4.16-5.30 for USG FLEX 50(W) and USG20(W)-VPN, 4.30-5.30 for VPN series, 4.32-5.30 for ATP series, 4.50-5.30 for other USG FLEX models

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default configurations. Requires local CLI access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, exfiltrate configuration data, pivot to internal networks, or disable firewall protections entirely.

🟠

Likely Case

Local authenticated attacker gains root privileges to modify firewall rules, intercept traffic, or access sensitive configuration data stored on the device.

🟢

If Mitigated

With proper network segmentation and access controls limiting local access, impact is reduced to authorized administrators only.

🌐 Internet-Facing: LOW (requires local access to device CLI)

🏢 Internal Only: HIGH (anyone with local CLI access can exploit)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local CLI access but is straightforward once access is obtained. Public exploit code exists in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in firmware versions beyond the affected ranges (e.g., 5.31+ for most models)

Vendor Advisory: https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from Zyxel support portal. 3. Backup configuration. 4. Upload and install firmware update. 5. Reboot device. 6. Verify updated version.

🔧 Temporary Workarounds

Restrict CLI Access

all

Limit local CLI access to trusted administrators only using access control lists and strong authentication.

Network Segmentation

all

Isolate management interfaces from general network access to prevent unauthorized local access.

🧯 If You Can't Patch

Implement strict access controls to limit who can access device CLI interfaces
Monitor for unusual CLI activity and privilege escalation attempts in logs

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Maintenance > Firmware) or CLI 'show version' command and compare to affected ranges.

Check Version:

show version

Verify Fix Applied:

Verify firmware version is beyond affected ranges (e.g., 5.31+ for most models) and test CLI command restrictions.

📡 Detection & Monitoring

Log Indicators:

Unusual CLI command execution patterns
Privilege escalation attempts in system logs
Multiple failed authentication attempts followed by successful CLI access

Network Indicators:

Unexpected management interface access from unusual IPs
Anomalous traffic patterns post-CLI access

SIEM Query:

source="zyxel_firewall" AND (event_type="cli_command" AND command="*privilege*" OR command="*root*")

📊 Metadata

CVE ID: CVE-2022-30526

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: July 19, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml Vendor Advisory
http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Atp100 Firmware by Zyxel

Atp100w Firmware by Zyxel

Atp200 Firmware by Zyxel

Atp500 Firmware by Zyxel

Atp700 Firmware by Zyxel

Atp800 Firmware by Zyxel

Usg 2200 Vpn Firmware by Zyxel

Usg Flex 100w Firmware by Zyxel

Usg Flex 200 Firmware by Zyxel

Usg Flex 500 Firmware by Zyxel

Usg Flex 50w Firmware by Zyxel

Usg Flex 700 Firmware by Zyxel

Usg20 Vpn Firmware by Zyxel

Usg20w Vpn Firmware by Zyxel

Usg40 Firmware by Zyxel

Usg40w Firmware by Zyxel

Usg60 Firmware by Zyxel

Usg60w Firmware by Zyxel

Vpn100 Firmware by Zyxel

Vpn1000 Firmware by Zyxel

Vpn300 Firmware by Zyxel

Vpn50 Firmware by Zyxel

Zywall 110 Firmware by Zyxel

Zywall 1100 Firmware by Zyxel

Zywall 310 Firmware by Zyxel