Security News > 2023 > May > Zyxel patches vulnerability in NAS devices (CVE-2023-27988)
Zyxel has patched a high-severity authenticated command injection vulnerability in some of its network attached storage devices aimed at home users.
The vulnerability was discovered in the devices' web management interface.
"An authenticated attacker with administrator privileges could leverage this vulnerability to execute some operating system commands on an affected device remotely," Zyxel has confirmed.
The vulnerability has been reported by Sternum researchers, who released a root cause analysis of the flaw and described how they made the target devices do something they usually wouldn't.
"These tests also confirmed that the vulnerability we found could be used by an authenticated user to execute an arbitrary system command with root privileges on the device. Consequently, they could be used for a more malicious purpose-for instance, for a remote malware injection," they explained.
There is currently no mention of the vulnerability being exploited by attackers, but NAS devices are generally an attractive target for cyber criminals, as evidenced by past ransomware attacks targeting QNAP NAS devices.