By leveraging a critical vulnerability tracked as CVE-2022-30525 – present in ATP, VPN and some USG FLEX series products – attackers are able to bypass authentication and achieve remote code execution.
Although Zyxel rolled out a fix for the security bug last week, thousands of administrators have failed to install the necessary patch and the exploit is now being utilized openly in the wild.
Zyxel VPN vulnerability
The vulnerability in Zyxel’s business VPN devices was first identified by security firm Rapid7, which assisted the company with the remediation.
In a blog post detailing the bug, Rapid7 warned that attackers could abuse the issue to establish a reverse shell, a type of session that facilitates communication between the attacker and the target machine and sets the stage for further attacks.
The result is that the attacker could effectively seize full control of systems that are otherwise protected by a firewall and other network security measures.
In an advisory published by Zyxel alongside the patch, the company urged administrators to install the relevant update immediately. This sentiment was echoed on Twitter by the cybersecurity director of the NSA, such is the severity of the issue and popularity of Zyxel hardware.
The latest analysis shows that upwards of 15,000 vulnerable Zyxel products remain unpatched, the majority of which belong to companies based in France, Italy, Switzerland and the US, meaning the potential scope of attacks is significant.
To help organizations shield against and mitigate attacks, multiple security researchers have published useful resources online. A team operating under Spanish telecoms firm Telefonica, for example, has released a program that scans for vulnerable endpoints, and another researcher has published a tool to help detect intrusions related to the flaw.