At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user.
The programming issue was not sanitising input, with two fields passed to a CGI handler being fed into system calls. The impacted models were its VPN and ATP series, and USG 100(W), 200, 500, 700, and Flex 50(W)/USG20(W)-VPN.
At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800.
“Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K),” it tweeted.
The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately.
After Rapid7 reported the vulnerability on April 13, the Taiwanese hardware maker silently released patches on April 28. Rapid7 only realised the release had happened on May 9, and eventually published its blog and Metasploit module alongside the Zyxel notice, and was not happy with the timeline of events.
“This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this,” Rapid7 discoverer of the bug Jake Baines wrote.
“Therefore, we’re releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.”
For its part, Zyxel claimed there was a “miscommunication during the disclosure coordination process” and it “always follows the principles of coordinated disclosure”.
At the end of March, Zyxel published an advisory for another CVSS 9.8 vulnerability in its CGI program that could allow an attacker to bypass authentication and run around the device with administrative access.