CVE-2022-38547

HIGH

Zyxel ZyWALL/USG <4.72 - Command Injection

Title source: llm

Description

A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands.

References (1)

Core 1

Core References

Vendor Advisory

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-rce-in-firewalls

Scores

CVSS v3 7.2

EPSS 0.0147

EPSS Percentile 81.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (25)

zyxel/atp100_firmware 4.32 - 5.32

zyxel/atp100w_firmware 4.32 - 5.32

zyxel/atp200_firmware 4.32 - 5.32

zyxel/atp500_firmware 4.32 - 5.32

zyxel/atp700_firmware 4.32 - 5.32

zyxel/atp800_firmware 4.32 - 5.32

zyxel/usg20-vpn_firmware 4.30 - 5.32

zyxel/usg20w-vpn_firmware 4.30 - 5.32

zyxel/usg40_firmware 4.20 - 4.72

zyxel/usg40w_firmware 4.20 - 4.72

... and 15 more

Published Feb 07, 2023

Tracked Since Feb 18, 2026