ExploitCVE-2022-26532
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2022-26532. See article
CVE-2022-26532 is a critical OS command injection vulnerability with a CVSS score of 7.8. Zyxel assigned this CVE along with CVE-2022-26531 on March 17, 2022. It is currently unclear if this vulnerability is being actively exploited in the wild, and there may be proof-of-concept exploits available. Organizations should implement mitigations and monitor for patches to protect against potential downstream impacts to other third-party vendors or technologies. See article
EPSS Score was set to: 0.05% (Percentile: 17.5%)