Security News > 2023 > June > Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage devices that could result in the execution of arbitrary commands on affected systems.
Tracked as CVE-2023-27992, the issue has been described as a pre-authentication command injection vulnerability.
"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today.
NAS326C0 and earlier, patched in V5.21(AAZF.14)C0), NAS540C0 and earlier, patched in V5.21(AATB.11)C0), and.
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Security Agency on Monday added two flaws in Zyxel firewalls to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
With Zyxel devices becoming an attack magnet for threat actors, it's imperative that customers apply the fixes as soon as possible to prevent potential risks.
News URL
https://thehackernews.com/2023/06/zyxel-releases-urgent-security-updates.html
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)
- Setting a security standard: From vulnerability to exposure management (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 0.0 |