Security News > 2023 > June > Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage devices that could result in the execution of arbitrary commands on affected systems.
Tracked as CVE-2023-27992, the issue has been described as a pre-authentication command injection vulnerability.
"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today.
NAS326C0 and earlier, patched in V5.21(AAZF.14)C0), NAS540C0 and earlier, patched in V5.21(AATB.11)C0), and.
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Security Agency on Monday added two flaws in Zyxel firewalls to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
With Zyxel devices becoming an attack magnet for threat actors, it's imperative that customers apply the fixes as soon as possible to prevent potential risks.
News URL
https://thehackernews.com/2023/06/zyxel-releases-urgent-security-updates.html
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)
- New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution (source)
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware (source)
- Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk (source)
- Fortinet releases patches for undisclosed critical FortiManager vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 9.8 |