{"cve":{"cve_id":"CVE-2022-30525","is_kev":true,"kev_date_added":"2022-05-16","kev_vendor_project":"Zyxel","kev_product":"Multiple Firewalls","kev_vulnerability_name":"Zyxel Multiple Firewalls OS Command Injection Vulnerability","kev_short_description":"A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.","kev_required_action":"Apply updates per vendor instructions.","kev_due_date":"2022-06-06","kev_known_ransomware":false,"kev_notes":"https://nvd.nist.gov/vuln/detail/CVE-2022-30525","kev_cwes":["CWE-78"],"epss_score":0.99938,"epss_percentile":0.99969,"epss_as_of":"2026-06-23","description":"A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.","published_at":"2022-05-12T13:05:11Z","last_modified_at":null,"cvss_v3_score":9.8,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":true,"ssvc_technical_impact":"total","cwes":["CWE-78"],"nvd_references":["https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml","http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html","http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html","http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html","http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-29T01:05:30.317946Z"},"effective_severity":"CRITICAL","badges":["kev","poc","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"atp-series-firmware","product_name":"ATP series firmware","version_start":"5.10 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.10 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:atp-series-firmware:5.10 through 5.21 Patch 1:5.10 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-20-w-vpn-firmware","product_name":"USG 20(W)-VPN firmware","version_start":"5.10 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.10 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-20-w-vpn-firmware:5.10 through 5.21 Patch 1:5.10 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-flex-100-w-firmware","product_name":"USG FLEX 100(W) firmware","version_start":"5.00 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.00 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-flex-100-w-firmware:5.00 through 5.21 Patch 1:5.00 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-flex-200-firmware","product_name":"USG FLEX 200 firmware","version_start":"5.00 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.00 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-flex-200-firmware:5.00 through 5.21 Patch 1:5.00 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-flex-500-firmware","product_name":"USG FLEX 500 firmware","version_start":"5.00 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.00 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-flex-500-firmware:5.00 through 5.21 Patch 1:5.00 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-flex-50-w-firmware","product_name":"USG FLEX 50(W) firmware","version_start":"5.10 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.10 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-flex-50-w-firmware:5.10 through 5.21 Patch 1:5.10 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-flex-700-firmware","product_name":"USG FLEX 700 firmware","version_start":"5.00 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"5.00 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-flex-700-firmware:5.00 through 5.21 Patch 1:5.00 through 5.21 Patch 1"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"vpn-series-firmware","product_name":"VPN series firmware","version_start":"4.60 through 5.21 Patch 1","version_start_inclusive":true,"version_end":"4.60 through 5.21 Patch 1","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:vpn-series-firmware:4.60 through 5.21 Patch 1:4.60 through 5.21 Patch 1"}],"exploit_refs":[{"source":"nuclei","kind":"nuclei","url":"https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-30525.yaml","title":"Zyxel Firewall - OS Command Injection","author":"h1ei1,prajiteshsingh","disclosed_at":null}],"news":[],"references":[{"url":"https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml","source_type":"MISC","tags":[]},{"url":"http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html","source_type":"EXPLOIT","tags":["exploit"]},{"url":"http://packetstormsecurity.com/files/167182/Zyxel-Firewall-ZTP-Unauthenticated-Command-Injection.html","source_type":"EXPLOIT","tags":["exploit"]},{"url":"http://packetstormsecurity.com/files/167372/Zyxel-USG-FLEX-5.21-Command-Injection.html","source_type":"EXPLOIT","tags":["exploit"]},{"url":"http://packetstormsecurity.com/files/168202/Zyxel-Firewall-SUID-Binary-Privilege-Escalation.html","source_type":"EXPLOIT","tags":["exploit"]}],"timeline":[{"type":"published","at":"2022-05-12T13:05:11Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2022-05-16T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"poc_available","at":"2026-06-24T00:29:48.638073Z","label":"Public PoC available","source":"nuclei"},{"type":"cvss_changed","at":"2026-06-28T17:22:27.915531Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:22:27.915531Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:22:27.915531Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"ssvc_changed","at":"2026-06-29T01:05:30.317946Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:05:30.317946Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:05:30.317946Z","label":"SSVC decision revised","source":"vulnrichment"}]}