Security News > 2022 > September > Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage devices.
Tracked as CVE-2022-34747, the issue relates to a "Format string vulnerability" affecting NAS326, NAS540, and NAS542 models.
Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.
"A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet," the company said in an advisory released on September 6.
The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities affecting its firewall products in July.
In June 2022, it also remediated a security vulnerability that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.
News URL
https://thehackernews.com/2022/09/critical-rce-vulnerability-affects.html
Related news
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)
- Progress urges admins to patch critical WhatsUp Gold bugs ASAP (source)
- 'Patch yesterday': Zimbra mail servers under siege through RCE vuln (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-06 | CVE-2022-34747 | Use of Externally-Controlled Format String vulnerability in Zyxel Nas326 Firmware 5.21/5.21(Aazf.7)C0 A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. | 9.8 |