Security News > 2020 > February > Zyxel Patches Zero-Day Vulnerability in Network Storage Products
Networking devices vendor Zyxel has released patches for several network attached storage devices to address a critical vulnerability that is already being exploited by cybercriminals.
"A remote code execution vulnerability was identified in the weblogin.cgi program of Zyxel NAS products running firmware version 5.21 and earlier. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection," Zyxel explains in an advisory.
A remote attacker could execute arbitrary code on a vulnerable Zyxel device by sending a specially-crafted HTTP POST or GET request.
An exploit for the vulnerability has been available for sale on underground forums for a while now, priced at $20,000, security reporter Brian Krebs, who alerted Zyxel, DHS, and CERT/CC on the flaw, reveals.
This week, Zyxel released patches for four of the devices found vulnerable, namely NAS326, NAS520, NAS540, and NAS542.
News URL
Related news
- Zero-Day Vulnerability in Ivanti VPN (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)