Security News > 2022 > September > Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage devices.
Tracked as CVE-2022-34747, the issue relates to a "Format string vulnerability" affecting NAS326, NAS540, and NAS542 models.
Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.
"A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet," the company said in an advisory released on September 6.
The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities affecting its firewall products in July.
In June 2022, it also remediated a security vulnerability that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.
News URL
https://thehackernews.com/2022/09/critical-rce-vulnerability-affects.html
Related news
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- QNAP warns of critical auth bypass flaw in its NAS devices (source)
- Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability (source)
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Fortinet warns of critical RCE bug in endpoint management software (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-09-06 | CVE-2022-34747 | Use of Externally-Controlled Format String vulnerability in Zyxel Nas326 Firmware 5.21/5.21(Aazf.7)C0 A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. | 0.0 |