Critical bug in Zyxel firewalls, VPNs exploited in the wild

Disclosure woes

According to Baines' blog post, he discovered the bug in April, and Rapid7 emailed Zyxel on April 13, which acknowledged receipt the following day.

Rapid7 had proposed a coordinated disclosure of the flaw for June. However, the vendor later discovered that Zyxel had silently patched the vulnerability on April 28, without disclosing the bug to the public. Rapid7 said Zyxel's release on April 28 was "uncoordinated" with the vulnerability reporter.

"This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this," Baines wrote in his blog post, criticizing Zyxel's decision to forgo a security advisory for the bug.

On May 13 the Shadowserver Foundation, a nonprofit infosec organization, began observing exploitation attempts. In a tweet two days later, Shadowserver said its scans showed at least 20,800 potentially affected Zyxel firewall models, with a majority located in France and Italy.

Additionally, Rapid7 conducted a Shodan search which revealed more than 15,000 vulnerable Zyxel products.

Zyxel did not publish an advisory until May 12, the same day Baines disclosed the vulnerability in his blog post. The vendor also highlighted affected models including USG Flex, ATP series and VPN series, along with affected firmware such as ZLD V5.00 through ZLD V5.21. VPNs have grown increasingly popular as a target for threat actors, including nation-state groups.

The advisory also included a fix for the critical bug and addressed the disclosure dispute with Rapid7.

"Thanks to Rapid7 for reporting the CVE-2022-30525 issue to us. However, there was miscommunication during the disclosure coordination with Rapid7. As a CNA, Zyxel always follows the principles of coordinated disclosure to arrange public disclosure with reporters," Zyxel wrote in the advisory.

Zyxel did not expand on details of the miscommunication and was unavailable for comment at this time.

While CVE-2022-30525 poses a threat to enterprise networks and the affected scope is fairly decent, Baines focused on an even bigger threat -- the risks associated with uncoordinated disclosure.

"In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues," Baines wrote.

Rapid7 recommended applying the vendor patch as soon as possible and to "disable WAN access to the administrative web interface of the system."