Zyxel has released security updates to address a critical security flaw in network attached storage (NAS) devices that could allow arbitrary command execution on affected systems.
tracked CVE-2023-27992 (CVSS score: 9.8), the issue is described as a pre-authentication command injection vulnerability.
“A pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to remotely execute some operating system (OS) commands by sending crafted HTTP requests. There is,” Zyxel said in an advisory released today.
Andrej Zaujec, NCSC-FI, and Maxim Suslov are credited with discovering and reporting this flaw. The following versions are affected by his CVE-2023-27992-
- NAS326 (before V5.21(AAZF.13)C0, patched in V5.21(AAZF.14)C0),
- NAS540 (before V5.21(AATB.10)C0, patched with V5.21(AATB.11)C0), and
- NAS542 (before V5.21(ABAG.10)C0, patched in V5.21(ABAG.11)C0)
The alert comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday, based on evidence, that two flaws (CVE-2023-33009 and CVE-2023-33010) in the Zyxel firewall have been exploited as known vulnerabilities ( KEV) published 2 weeks after being added to the catalog. of active exploitation.
With Zyxel devices being targeted by threat actors, it is imperative that customers apply patches as soon as possible to prevent potential risks.
