Zyxel Warns of Critical Command Injection Flaw in NAS Devices

Cyber Security Threat Summary:
Zxyel recently published security updates to address a critical command injection vulnerability impacting its Network Attached Storage (NAS) devices, warning customers to update their firmware. Tracked as CVE-2023-27992, the vulnerability is due to a pre-authentication command injection problem that could enable an unauthenticated attacker to execute operating system commands on the impacted device via specially crafted HTTP requests.

Below is a list of the impacted devices and firmware versions, with the relevant patched releases for each product:

  • NAS326 – impacts V5.21(AAZF.13)C0 and earlier, fixed in V5.21(AAZF.14)C0
  • NAS540 – impacts V5.21(AATB.10)C0 and earlier, fixed in V5.21(AATB.11)C0
  • NAS542 – impacts V5.21(ABAG.10)C0 and earlier, fixed in V5.21(ABAG.11)C0

    Security Officer Comments:
    Although NAS devices offer a convenient and low-cost storage solution, these devices pose many security risks as they are connected to the internet and come with default configurations that are often times left unchanged. In the case of CVE-2023-27992, a threat actor could exploit this vulnerability to take complete control of the device. From here, they could then gain access to any sensitive or personal data that is stored on the device.

    Suggested Correction(s):
    There are currently no workarounds for CVE-2023-27992 so users should apply the latest firmware patches as soon as possible to prevent potential exploitation attempts. Please refer to Zyxel’s advisory down below to access the patches released for each of the impacted devices: https://www.zyxel.com/global/en/sup...mmand-injection-vulnerability-in-nas-products

    Link(s):
    https://www.bleepingcomputer.com/

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats