CVE-2022-38547
📋 TL;DR
This is a post-authentication command injection vulnerability in Zyxel firewall devices that allows authenticated administrators to execute arbitrary operating system commands. It affects multiple Zyxel firewall series running specific firmware versions. Attackers with administrative access can exploit this to gain full system control.
💻 Affected Systems
- Zyxel ZyWALL
- Zyxel USG
- Zyxel VPN
- Zyxel USG FLEX
- Zyxel ATP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the firewall device, allowing attackers to pivot to internal networks, steal credentials, install persistent backdoors, or disrupt network operations.
Likely Case
Privilege escalation from authenticated administrator to full OS command execution, enabling lateral movement, data exfiltration, or network reconnaissance.
If Mitigated
Limited impact due to strong access controls, network segmentation, and monitoring that would detect unusual administrative activity.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once authenticated. Multiple public PoCs exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ZyWALL/USG: 4.73, VPN/USG FLEX/ATP: 5.33
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-rce-in-firewalls
Restart Required: Yes
Instructions:
1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface or CLI. 4. Reboot device. 5. Verify firmware version.
🔧 Temporary Workarounds
Restrict administrative access
allLimit administrative access to trusted IP addresses and networks only
Implement multi-factor authentication
allRequire MFA for all administrative accounts to reduce credential compromise risk
🧯 If You Can't Patch
- Implement strict network segmentation to isolate firewall management interfaces
- Enable comprehensive logging and monitoring for administrative command execution
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > System Information) or CLI (show version). Compare against affected version ranges.Check Version:
show versionVerify Fix Applied:
Verify firmware version is ZyWALL/USG 4.73+ or VPN/USG FLEX/ATP 5.33+📡 Detection & Monitoring
Log Indicators:
- Unusual CLI command execution patterns
- Multiple failed authentication attempts followed by successful login
- Commands with shell metacharacters in administrative logs
Network Indicators:
- Unexpected outbound connections from firewall management interface
- Unusual traffic patterns from firewall to internal systems
SIEM Query:
source="zyxel_firewall" AND (event_type="cli_command" AND command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")