Security News > 2022 > September > Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage devices.
Tracked as CVE-2022-34747, the issue relates to a "Format string vulnerability" affecting NAS326, NAS540, and NAS542 models.
Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.
"A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet," the company said in an advisory released on September 6.
The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities affecting its firewall products in July.
In June 2022, it also remediated a security vulnerability that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.
News URL
https://thehackernews.com/2022/09/critical-rce-vulnerability-affects.html
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-06 | CVE-2022-34747 | Use of Externally-Controlled Format String vulnerability in Zyxel Nas326 Firmware 5.21/5.21(Aazf.7)C0 A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. | 9.8 |