CVE-2022-38547OS Command Injection in Zyxel Atp100 Firmware

CWE-78OS Command Injection3 documents3 sources
Severity
7.2HIGHNVD
EPSS
1.5%
top 19.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
29
Zyxel Atp100 FirmwareZyxel Atp100w FirmwareZyxel Atp200 Firmware+26 more
Timeline
PublishedFeb 7

Description

A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages29 packages

CVEListV5zyxel/usg_flex_series_firmware4.50 through 5.32
CVEListV5zyxel/zywall_usg_series_firmware4.20 through 4.72
CVEListV5zyxel/atp_series_firmware4.32 through 5.32
CVEListV5zyxel/vpn_series_firmware4.30 through 5.32
NVDzyxel/zywall_110_firmware4.204.72

🔴Vulnerability Details

2
CVEList
CVE-2022-38547: A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 42023-02-07
GHSA
GHSA-w85w-m9jr-jffx: A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 42023-02-07
CVE-2022-38547 — OS Command Injection in Zyxel | cvebase