Tackling Critical Vulnerability in NAS Devices By Zyxel
Security updates have addressed a critical vulnerability found in Zyxel‘s network-attached storage (NAS) devices. This vulnerability had the potential to enable the execution of unauthorized commands on affected computers.
Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability. Following this, Zyxel released a statement in an advisory published today.
The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
The discovery and reporting of the vulnerability were credited to Andrej Zaujec, NCSC-FI, and Maxim Suslov.
Our Readers ALSO READDozens of Organizations Targeted in Adversary-in-the-Middle Attack Wave
The affected versions by CVE-2023-27992 include NAS326 (up to V5.21(AAZF.13)C0, patched in V5.21(AAZF.14)C0), NAS540 (up to V5.21(AATB.10)C0, patched in V5.21(AATB.11)C0), and NAS542 (up to V5.21(ABAG.10)C0, patched in V5.21(ABAG.11)C0). This alert follows the recent addition of two Zyxel firewall vulnerabilities (CVE-2023-33009 and CVE-2023-33010) to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.
Customers must immediately implement the patches to minimize risks because Zyxel devices are increasingly being targeted by threat actors.