CVE-2022-30525

CRITICAL KEV RANSOMWARE NUCLEI

Zyxel Firewall SUID Binary Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-30525 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 16, 2022, with confirmed use in ransomware campaigns. EIP tracks 16 public exploits from researchers including Valentin Lobstein, shuai06, jbaines-r7, including a Metasploit module exploits/linux/http/zyxel_ztp_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CVE-2022-30525, an OS command injection vulnerability in Zyxel USG FLEX devices. It sends a crafted JSON payload to the `/ztp/cgi-bin/handler` endpoint, injecting a reverse shell command via the `mtu` parameter.

Description

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Exploits (16)

exploitdb WORKING POC
by Valentin Lobstein · textremotehardware
https://www.exploit-db.com/exploits/50946

This exploit targets CVE-2022-30525, an OS command injection vulnerability in Zyxel USG FLEX devices. It sends a crafted JSON payload to the `/ztp/cgi-bin/handler` endpoint, injecting a reverse shell command via the `mtu` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX, versions ZLD5.00 through ZLD5.21
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable version of Zyxel USG FLEX
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 33 stars
by shuai06 · remote
https://github.com/shuai06/CVE-2022-30525

This PoC exploits a command injection vulnerability in Zyxel firewalls by injecting a DNS lookup command into the 'mtu' parameter of a JSON payload sent to the '/ztp/cgi-bin/handler' endpoint. It uses dnslog.cn for out-of-band detection to confirm the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel firewalls (specific versions not specified)
No auth needed
Prerequisites: Network access to the target device · The target device must have outbound DNS access to dnslog.cn
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 30 stars
by jbaines-r7 · remote
https://github.com/jbaines-r7/victorian_machinery

This is a functional proof-of-concept exploit for CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls. It leverages the zero-touch provisioning endpoint to execute arbitrary commands and establish a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX/ATP series firewalls (multiple models)
No auth needed
Prerequisites: Network access to the target's management interface (typically port 443) · A listener setup to receive the reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 22 stars
by Henry4E36 · poc
https://github.com/Henry4E36/CVE-2022-30525

This PoC exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls. It sends a crafted JSON payload to the `/ztp/cgi-bin/handler` endpoint, injecting a command to ping a DNS log server for verification.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel firewall (specific versions affected by CVE-2022-30525)
No auth needed
Prerequisites: Network access to the target device · DNS log service for verification
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 12 stars
by west9b · poc
https://github.com/west9b/CVE-2022-30525

This repository contains a functional proof-of-concept exploit for CVE-2022-30525, a command injection vulnerability in Zyxel firewalls. It includes both a DNS-based verification method and a reverse shell payload for exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel firewalls (ATP, VPN, USG FLEX series)
No auth needed
Prerequisites: Network access to the vulnerable Zyxel firewall · Target device must be running an affected firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by savior-only · poc
https://github.com/savior-only/CVE-2022-30525

This PoC exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls. It uses DNS exfiltration via dnslog.cn to verify command execution by injecting a ping command into the 'mtu' parameter of a JSON payload sent to the /ztp/cgi-bin/handler endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX/ATP firewalls (ZLD5.00 through ZLD5.21 Patch 1)
No auth needed
Prerequisites: Network access to the target device · DNS resolution to dnslog.cn
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by iveresk · remote
https://github.com/iveresk/cve-2022-30525

This repository contains a functional Go-based exploit for CVE-2022-30525, targeting Zyxel firewalls with unauthenticated remote command execution via the `/ztp/cgi-bin/handler` endpoint. The exploit injects commands into the `mtu` parameter of a JSON payload, achieving RCE as the `nobody` user.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX, ATP, and VPN series firewalls (ZLD5.00 through ZLD5.21 Patch 1)
No auth needed
Prerequisites: Network access to the target's administrative HTTP interface (port 443) · ZTP functionality enabled on the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by k0sf · poc
https://github.com/k0sf/CVE-2022-30525

This repository contains a functional proof-of-concept exploit for CVE-2022-30525, a command injection vulnerability in Zyxel firewalls. The exploit leverages the 'mtu' parameter in the '/ztp/cgi-bin/handler' endpoint to execute arbitrary commands, including reverse shell payloads via netcat or DNS exfiltration.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX/ATP series firewalls (ZLD5.00 through ZLD5.21 Patch 1)
No auth needed
Prerequisites: Network access to the target device · Exposed ZTP interface on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 2 stars
by cbk914 · poc
https://github.com/cbk914/CVE-2022-30525_check

This script checks for the presence of CVE-2022-30525, an OS command injection vulnerability in Zyxel USG FLEX devices. It sends a crafted HTTP request with a command injection payload to test for vulnerability.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX firmware versions 5.00 through 5.21 Patch 1
No auth needed
Prerequisites: Network access to the target device · Python 3 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Chocapikk · poc
https://github.com/Chocapikk/CVE-2022-30525-Reverse-Shell

This is a functional exploit for CVE-2022-30525, targeting unauthenticated remote command injection in Zyxel firewalls. It sends a crafted JSON payload to the `/ztp/cgi-bin/handler` endpoint, injecting a reverse shell via the `mtu` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX/ATP series firewalls (ZLD5.00 through ZLD5.21)
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable Zyxel firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ProngedFork · poc
https://github.com/ProngedFork/CVE-2022-30525

This is a Python-based exploit for CVE-2022-30525, a command injection vulnerability in Zyxel firewalls. It leverages DNSLog for out-of-band detection of successful command injection via the 'mtu' parameter in a JSON payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX/ATP/VPN series firmware versions up to 5.21 Patch 1
No auth needed
Prerequisites: Network access to the target device · DNSLog service for out-of-band detection
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by furkanzengin · poc
https://github.com/furkanzengin/CVE-2022-30525

This repository contains a detailed writeup of CVE-2022-30525, an OS command injection vulnerability in Zyxel firewalls. The vulnerability allows unauthenticated remote code execution via the /ztp/cgi-bin/handler endpoint using the setWanPortSt command.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel firewall products (ATP series, VPN series, USG FLEX series) with firmware versions prior to V5.30
No auth needed
Prerequisites: Network access to the target device · Zyxel firewall with vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by superzerosec · remote
https://github.com/superzerosec/CVE-2022-30525

This PoC exploits CVE-2022-30525, a command injection vulnerability in Zyxel firewalls, by injecting a reverse shell payload into the 'mtu' parameter of a JSON request to the ZTP handler endpoint. The exploit uses a bash command to establish a reverse shell connection to a specified listener.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel firewalls (specific versions affected by CVE-2022-30525)
No auth needed
Prerequisites: Network access to the target device · A listener set up on the specified localhost and localport
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by arajsingh-infosec · remote
https://github.com/arajsingh-infosec/CVE-2022-30525_Exploit

This is a Python-based exploit for CVE-2022-30525, a command injection vulnerability in Zyxel firewalls. It leverages DNSLog for detection and can scan single or multiple targets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX/ATP/VPN series firmware versions up to 5.21 Patch 1
No auth needed
Prerequisites: Network access to the target device · DNSLog service for detection
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by M4fiaB0y · poc
https://github.com/M4fiaB0y/CVE-2022-30525

This PoC exploits CVE-2022-30525, a command injection vulnerability in Zyxel firewalls. It sends a crafted JSON payload to the '/ztp/cgi-bin/handler' endpoint, injecting a command to ping a DNS log domain for verification of exploitation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel firewalls (specific versions not specified)
No auth needed
Prerequisites: Network access to the target device · The target device must be running a vulnerable version of Zyxel firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jbaines-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zyxel_ztp_rce.rb

This Metasploit module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls via the ZTP handler. It injects commands into the 'mtu' field of a JSON payload sent to /ztp/cgi-bin/handler.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel USG FLEX, USG20-VPN, USG20W-VPN, ATP series (firmware 5.21 and below)
No auth needed
Prerequisites: Network access to the target device · ZTP enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zyxel Firewall - OS Command Injection
CRITICALby h1ei1,prajiteshsingh
Shodan: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" || http.title:"usg flex 100","usg flex 100w","usg flex 200","usg flex 500","usg flex 700","usg flex 50","usg flex 50w","atp100","atp200","atp500","atp700"

References (6)

Core 6
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html

Scores

CVSS v3 9.8
EPSS 0.9445
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-05-16
VulnCheck KEV 2022-05-14
InTheWild.io 2022-05-13
ENISA EUVD EUVD-2022-52385
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (16)
zyxel/atp100_firmware 5.10 - 5.30
zyxel/atp100w_firmware 5.10 - 5.30
zyxel/atp200_firmware 5.10 - 5.30
zyxel/atp500_firmware 5.10 - 5.30
zyxel/atp700_firmware 5.10 - 5.30
zyxel/atp800_firmware 5.10 - 5.30
zyxel/usg20w-vpn_firmware 5.10 - 5.30
zyxel/usg_flex_100w_firmware 5.00 - 5.30
zyxel/usg_flex_200_firmware 5.00 - 5.30
zyxel/usg_flex_500_firmware 5.00 - 5.30
... and 6 more
Published May 12, 2022
KEV Added May 16, 2022
Tracked Since Feb 18, 2026