CVE-2022-30525 is a critical unauthenticated OS command injection vulnerability in the web-exposed CGI functionality of Zyxel firewall and VPN appliances running affected ZLD firmware. The flaw affects multiple Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, and VPN series devices. Available technical reporting indicates the issue is reachable through a CGI handler endpoint and is caused by unsanitized attacker-controlled input being passed to operating system command execution logic in the firmware, including code paths associated with WAN configuration handling. Successful exploitation allows a remote attacker to inject arbitrary shell commands on the device without authentication. Reports also indicate attackers can modify specific files as part of the exploitation chain and then execute operating system commands on the vulnerable appliance.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
4 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides a Python proof-of-concept exploit for CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls. The main script, CVE-2022-30525.py, allows the user to specify a single target URL or a file containing multiple targets. It sends a crafted POST request to the /ztp/cgi-bin/handler endpoint on the target, injecting a command via the 'mtu' parameter in the JSON body. The injected command pings a unique domain obtained from dnslog.cn, and the script then checks dnslog.cn for evidence of the ping, confirming successful code execution. The exploit does not require authentication and is designed for detection and verification of the vulnerability, not for weaponized post-exploitation. The repository also includes a helper script (dnslog.py) for interacting with dnslog.cn and a sample target list file (ip.txt).
This repository contains a proof-of-concept exploit for CVE-2022-30525, a remote unauthenticated command injection vulnerability in several Zyxel firewall models. The main exploit script, 'victorian_machinery.py', is a Python program that takes attacker- and target-specific parameters (remote host/port, local host/port, protocol, and netcat path). It works by forking a process: the child sends a crafted HTTP POST request to the vulnerable Zyxel endpoint ('/ztp/cgi-bin/handler') with a malicious payload in the 'mtu' parameter, which triggers a reverse shell connection back to the attacker's machine. The parent process starts a netcat listener to catch the shell. The exploit is effective against unpatched Zyxel firewalls with the management web interface exposed. The repository is well-documented, with a detailed README explaining the vulnerability, affected models, usage instructions, and example output. No detection or scanning functionality is present; this is a direct exploitation tool.
This repository contains a Python proof-of-concept exploit for CVE-2022-30525, a remote command injection vulnerability affecting multiple Zyxel firewall products. The main script, CVE-2022-30525.py, allows the user to test a single target or perform bulk scanning against multiple targets listed in a file. The exploit works by sending a crafted POST request to the /ztp/cgi-bin/handler endpoint on the target device, injecting a command via the 'mtu' parameter. The injected command triggers a DNS request to a domain controlled by dnslog.cn, allowing the script to verify successful command execution by checking for the corresponding DNS query. The repository also includes a README.md with detailed vulnerability information, affected products, and usage instructions. No weaponized payload is included; the exploit is designed for verification and demonstration purposes.
This repository contains a Python exploit script (CVE-2022-30525.py) targeting Zyxel firewall devices running ZLD firmware versions 5.00 through 5.21. The exploit leverages an unauthenticated remote command injection vulnerability in the /ztp/cgi-bin/handler HTTP endpoint. The attacker supplies the target URL, a remote host, and a port; the script then sends a specially crafted JSON payload that injects a bash reverse shell command via the 'mtu' parameter. If successful, the target device initiates a reverse shell connection to the attacker's machine, granting remote command execution. The repository also includes a 'banner' file (ASCII art and credits) and a 'requirements.txt' specifying the 'requests' Python library. The exploit is operational, providing a working reverse shell payload, and is not part of a larger framework.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific CVE for which exploit code is implemented in native C inside TuxBot, but the exploit engine is dead code and never called at runtime in the analyzed version.
Referenced as a historically exploited N-day by CL-STA-1015/UNC5174; no additional details provided in the content.
Referenced only as a historically exploited N-day by UNC5174/CL-STA-1015; no additional vulnerability details provided in this content.
Unknown (mentioned only as a historically exploited N-day by UNC5174/CL-STA-1015; no vulnerability details provided).
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.