Cyber Resilience

CVE-2022-30525

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 12 May 2022

Published
12 May 2022
Modified
27 October 2025
KEV Added
16 May 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9445 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30525 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zyxel Usg Flex 100W Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-30525 is an OS command injection vulnerability (CWE-78) residing in the CGI program of multiple Zyxel firewall product lines. Affected devices include USG FLEX 100(W), 200, 500, and 700 running firmware 5.00–5.21 Patch 1; USG FLEX 50(W) and USG20(W)-VPN running 5.10–5.21 Patch 1; ATP series running 5.10–5.21 Patch 1; and VPN series running 4.60–5.21 Patch 1. The flaw permits an attacker to modify specific files and subsequently execute arbitrary operating-system commands on the device.

Unauthenticated remote attackers can exploit the issue over the network without user interaction. Successful exploitation yields full control of the affected appliance, enabling arbitrary command execution with impacts to confidentiality, integrity, and availability, as reflected in the CVSS 9.8 base score.

Zyxel’s security advisory directs customers to apply the vendor-supplied firmware updates that remediate the command-injection flaw in the CGI component. Public exploit artifacts, including unauthenticated command-injection and remote-code-execution proofs, have been posted to Packet Storm.

The EPSS score reached a peak of 0.9756 and remains at 0.9445, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch…

more

1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CWE(s)
KEV Date Added
16 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
usg flex 100w firmware
5.00 — 5.30
zyxel
usg flex 200 firmware
5.00 — 5.30
zyxel
usg flex 500 firmware
5.00 — 5.30
zyxel
usg flex 700 firmware
5.00 — 5.30
zyxel
vpn100 firmware
4.60 — 5.30
zyxel
vpn1000 firmware
4.60 — 5.30
zyxel
vpn300 firmware
4.60 — 5.30
zyxel
vpn50 firmware
4.60 — 5.30
zyxel
atp100 firmware
5.10 — 5.30
zyxel
atp100w firmware
5.10 — 5.30
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of CGI inputs to block the OS command injection payload that enables unauthenticated RCE.

prevent

Mandates prompt application of the vendor firmware patches that remediate the command-injection flaw in the affected Zyxel CGI code.

preventdetect

Requires integrity verification of firmware and executables, detecting or blocking post-exploitation tampering that follows successful command injection.

References