Zyxel Firewall Advisory | May 2022

Threat actors are exploiting a vulnerability found in a firewall widely used in small and medium businesses. Here's what you need to know.


On May 12, 2022, Zyxel disclosed a critical vulnerability, CVE-2022-30525, affecting Zyxel products. This vulnerability allows unauthenticated and remote attackers to execute code on affected devices. The Zyxel firewall series performs VPN connectivity, SSL inspection, web filtering, intrusion protection, and email security and are widely used in small to medium businesses. The firewall series that are affected offers a feature known as Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN).

Quick facts: what you need to know now

  • Attackers are actively exploiting the vulnerability in affected devices.
  • This vulnerability has a CVSS score of 9.8 — indicating a high severity.
  • Exploitation of the vulnerability allows an attacker to execute remote commands and modify files on the device leading to the compromise of the device and unauthorized access into the environment as the firewall controls incoming and outgoing traffic to your network. 

Next Steps for All Zyxel Customers:

  1. Determine if your organization is using one of the impacted Zyxel firewalls. They are listed below: 

Affected Model

Affected Firmware Version

USG FLEX 100(W), 200, 500, 700

ZLD V5.00 through ZLD V5.21 Patch 1


ZLD V5.00 through ZLD V5.21 Patch 1

ATP series

ZLD V5.00 through ZLD V5.21 Patch 1

VPN series

ZLD V5.00 through ZLD V5.21 Patch 1

  1. Update the devices to the latest patch, ZLD V5.30.
  2. If possible, enable automatic firmware updates.
  3. Disable WAN access to the administrative web interface of the system.


If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!