Zyxel has released a security update to address a critical security flaw in its Network Attached Storage (NAS) devices that could allow the execution of arbitrary commands on affected systems.
tracked CVE-2023-27992 (CVSS score: 9.8), the issue is described as a pre-authentication command injection vulnerability.
“A pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to remotely execute some operating system (OS) commands by sending crafted HTTP requests. there is.” Said In a recommendation published today.
Andrej Zaujec, NCSC-FI, and Maxim Suslov are credited with discovering and reporting this flaw. The following version he is affected by CVE-2023-27992-
- NAS326 (before V5.21(AAZF.13)C0, patched in V5.21(AAZF.14)C0),
- NAS540 (before V5.21(AATB.10)C0, patched with V5.21(AATB.11)C0), and
- NAS542 (before V5.21(ABAG.10)C0, patched in V5.21(ABAG.11)C0)
The alert comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday, based on evidence, that two flaws (CVE-2023-33009 and CVE-2023-33010) in the Zyxel firewall have been exploited as known vulnerabilities ( KEV) published two weeks after being added to the catalog. of active exploitation.
With Zyxel devices being targeted by threat actors, it is imperative that customers apply patches as soon as possible to prevent potential risks.
