Zyxel has released a security update to address a critical security flaw in network attached storage (NAS) devices that could result in arbitrary command execution on affected systems.
tracked as CVE-2023-27992 (CVSS score: 9.8), this issue is described as a pre-authentication command injection vulnerability.
“A pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to remotely execute some operating system (OS) commands by sending crafted HTTP requests,” Zyxel said in an advisory published today.
Andrej Zaujec, NCSC-FI and Maxim Suslov have been credited with finding and reporting the flaw. The following versions are affected by CVE-2023-27992 –
- NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0),
- NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
- NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The warning comes two weeks after the US Cyber and Infrastructure Security Agency (CISA) on Monday added two vulnerabilities in Zyxel’s firewall (CVE-2023-33009 and CVE-2023-33010) to its Exploited Vulnerabilities (KEV) catalog, based on evidence. from active exploitation.
With Zyxel devices becoming attack magnets for threat actors, customers should implement fixes as soon as possible to prevent potential risks.