Unauthenticated OS Command Injection in Zyxel USG FLEX, ATP, and VPN Series

This repository provides a Python proof-of-concept exploit for CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls. The main script, CVE-2022-30525.py, allows the user to specify a single target URL or a file containing multiple targets. It sends a crafted POST request to the /ztp/cgi-bin/handler endpoint on the target, injecting a command via the 'mtu' parameter in the JSON body. The injected command pings a unique domain obtained from dnslog.cn, and the script then checks dnslog.cn for evidence of the ping, confirming successful code execution. The exploit does not require authentication and is designed for detection and verification of the vulnerability, not for weaponized post-exploitation. The repository also includes a helper script (dnslog.py) for interacting with dnslog.cn and a sample target list file (ip.txt).

This repository contains a proof-of-concept exploit for CVE-2022-30525, a remote unauthenticated command injection vulnerability in several Zyxel firewall models. The main exploit script, 'victorian_machinery.py', is a Python program that takes attacker- and target-specific parameters (remote host/port, local host/port, protocol, and netcat path). It works by forking a process: the child sends a crafted HTTP POST request to the vulnerable Zyxel endpoint ('/ztp/cgi-bin/handler') with a malicious payload in the 'mtu' parameter, which triggers a reverse shell connection back to the attacker's machine. The parent process starts a netcat listener to catch the shell. The exploit is effective against unpatched Zyxel firewalls with the management web interface exposed. The repository is well-documented, with a detailed README explaining the vulnerability, affected models, usage instructions, and example output. No detection or scanning functionality is present; this is a direct exploitation tool.

This repository contains a Python proof-of-concept exploit for CVE-2022-30525, a remote command injection vulnerability affecting multiple Zyxel firewall products. The main script, CVE-2022-30525.py, allows the user to test a single target or perform bulk scanning against multiple targets listed in a file. The exploit works by sending a crafted POST request to the /ztp/cgi-bin/handler endpoint on the target device, injecting a command via the 'mtu' parameter. The injected command triggers a DNS request to a domain controlled by dnslog.cn, allowing the script to verify successful command execution by checking for the corresponding DNS query. The repository also includes a README.md with detailed vulnerability information, affected products, and usage instructions. No weaponized payload is included; the exploit is designed for verification and demonstration purposes.

This repository contains a Python exploit script (CVE-2022-30525.py) targeting Zyxel firewall devices running ZLD firmware versions 5.00 through 5.21. The exploit leverages an unauthenticated remote command injection vulnerability in the /ztp/cgi-bin/handler HTTP endpoint. The attacker supplies the target URL, a remote host, and a port; the script then sends a specially crafted JSON payload that injects a bash reverse shell command via the 'mtu' parameter. If successful, the target device initiates a reverse shell connection to the attacker's machine, granting remote command execution. The repository also includes a 'banner' file (ASCII art and credits) and a 'requirements.txt' specifying the 'requests' Python library. The exploit is operational, providing a working reverse shell payload, and is not part of a larger framework.