CVE-2022-30525 In CGI, Zyxel USG FLEX 100(W) 5.00 - 5.21P1, FLEX 200 5.00 - 5.21P1, FLEX 500 5.00 - 5.21P1, FLEX 700 5.00 - 5.21P1 have OS command injection vulnerability.

CVE-2022-30525 In CGI, Zyxel USG FLEX 100(W) 5.00 - 5.21P1, FLEX 200 5.00 - 5.21P1, FLEX 500 5.00 - 5.21P1, FLEX 700 5.00 - 5.21P1 have OS command injection vulnerability.

An attacker could exploit this vulnerability by sending a specially-crafted request to an affected system. Zyxel USG FLEX 100(W), USG FLEX 200, USG FLEX 500, USG FLEX 700, USG FLEX 50(W), USG20(W)-VPN, ATP series, VPN series firmware versions are vulnerable. The following instructions show how to exploit this vulnerability on Windows operating system.

In order to exploit this vulnerability, an attacker must: Have access to an affected system, such as an access request to a device, or via a web-based attack vector.

Create a file with an OS command and send a request to an affected system with a file to execute the OS command via the injected file. Host: In Linux/UNIX systems, the “echo” command is used to display a character string.

In Windows systems, the “set” command is used to set a value.

In order to send an OS command, a specially-crafted file must be sent to the vulnerable system. An attacker can send a file to an affected system via email, USB drive, etc.

Once the file is received by the system, it will be executed. Steps to exploit this vulnerability on Windows operating system: Send a file to an affected system via email, USB drive, etc.

Launch the “set” command and enter the following

Run the exploit code set [path to file with OS command]

Execute the file.

Example: set cmd=c:\\windows\\system32\\cmd.exe in the Command field and press enter

Step 1: Create a file with an OS command (Windows) br

> echo set cmd.exe /c "cmd.exe" >&1
Step 2: Send the email to the vulnerable system

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe