Security News > 2020 > February > Zyxel Patches Zero-Day Vulnerability in Network Storage Products
Networking devices vendor Zyxel has released patches for several network attached storage devices to address a critical vulnerability that is already being exploited by cybercriminals.
"A remote code execution vulnerability was identified in the weblogin.cgi program of Zyxel NAS products running firmware version 5.21 and earlier. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection," Zyxel explains in an advisory.
A remote attacker could execute arbitrary code on a vulnerable Zyxel device by sending a specially-crafted HTTP POST or GET request.
An exploit for the vulnerability has been available for sale on underground forums for a while now, priced at $20,000, security reporter Brian Krebs, who alerted Zyxel, DHS, and CERT/CC on the flaw, reveals.
This week, Zyxel released patches for four of the devices found vulnerable, namely NAS326, NAS520, NAS540, and NAS542.