Security News > 2023 > June > Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage devices that could result in the execution of arbitrary commands on affected systems.
Tracked as CVE-2023-27992, the issue has been described as a pre-authentication command injection vulnerability.
"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today.
NAS326C0 and earlier, patched in V5.21(AAZF.14)C0), NAS540C0 and earlier, patched in V5.21(AATB.11)C0), and.
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Security Agency on Monday added two flaws in Zyxel firewalls to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
With Zyxel devices becoming an attack magnet for threat actors, it's imperative that customers apply the fixes as soon as possible to prevent potential risks.
News URL
https://thehackernews.com/2023/06/zyxel-releases-urgent-security-updates.html
Related news
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- Critical security hole in Apache Struts under exploit (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- The ongoing evolution of the CIS Critical Security Controls (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 0.0 |