Zyxel Releases Urgent Security Update for Critical Vulnerabilities in NAS Devices


June 20, 2023Ravie LakshmananData Vulnerability/Security

Critical Vulnerabilities in NAS Devices

Zyxel has released a security update to address a critical security flaw in network attached storage (NAS) devices that could result in arbitrary command execution on affected systems.

tracked as CVE-2023-27992 (CVSS score: 9.8), this issue is described as a pre-authentication command injection vulnerability.

“A pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to remotely execute some operating system (OS) commands by sending crafted HTTP requests,” Zyxel said in an advisory published today.

Cyber ​​security

Andrej Zaujec, NCSC-FI and Maxim Suslov have been credited with finding and reporting the flaw. The following versions are affected by CVE-2023-27992 –

  • NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0),
  • NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
  • NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)

The warning comes two weeks after the US Cyber ​​and Infrastructure Security Agency (CISA) on Monday added two vulnerabilities in Zyxel’s firewall (CVE-2023-33009 and CVE-2023-33010) to its Exploited Vulnerabilities (KEV) catalog, based on evidence. from active exploitation.

With Zyxel devices becoming attack magnets for threat actors, customers should implement fixes as soon as possible to prevent potential risks.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button