CVE-2022-30526

HIGH

Zyxel Firewall Firmware - Privilege Escalation via CLI Command

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-30526. PoCs published by greek0x0, jbaines-r7, including Metasploit module exploits/linux/local/zyxel_suid_cp_lpe.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability in Zyxel firewalls. It leverages a SUID binary to overwrite the crontab, achieving root execution via a malicious cron job.

Description

A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.

Exploits (2)

nomisec WORKING POC 1 stars

by greek0x0 · poc

https://github.com/greek0x0/CVE-2022-30526

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability in Zyxel firewalls. It leverages a SUID binary to overwrite the crontab, achieving root execution via a malicious cron job.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Zyxel Firewall (USG FLEX, ATP, VPN series)

Auth required

Prerequisites: Initial shell access (e.g., via CVE-2022-30525) · Presence of vulnerable SUID binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1053.003 - Cron

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by jbaines-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/zyxel_suid_cp_lpe.rb

View Code ZIP pw:eip

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Zyxel Firewall (USG FLEX, ATP, VPN series)

Auth required

Prerequisites: Initial shell access (e.g., via CVE-2022-30525) · Presence of vulnerable SUID binary (zysudo.suid)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1053.003 - Cron

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html

Scores

CVSS v3 7.8

EPSS 0.0111

EPSS Percentile 61.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269

Status published

Products (25)

zyxel/atp100_firmware 4.32 - 5.30

zyxel/atp100w_firmware 4.32 - 5.30

zyxel/atp200_firmware 4.32 - 5.30

zyxel/atp500_firmware 4.32 - 5.30

zyxel/atp700_firmware 4.32 - 5.30

zyxel/atp800_firmware 4.32 - 5.30

zyxel/usg20-vpn_firmware 4.30 - 5.30

zyxel/usg20w-vpn_firmware 4.16 - 5.30

zyxel/usg40_firmware 4.09 - 4.72

zyxel/usg40w_firmware 4.09 - 4.72

... and 15 more

Published Jul 19, 2022

Tracked Since Feb 18, 2026