Security News > 2023 > June > Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage devices that could result in the execution of arbitrary commands on affected systems.
Tracked as CVE-2023-27992, the issue has been described as a pre-authentication command injection vulnerability.
"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today.
NAS326C0 and earlier, patched in V5.21(AAZF.14)C0), NAS540C0 and earlier, patched in V5.21(AATB.11)C0), and.
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Security Agency on Monday added two flaws in Zyxel firewalls to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
With Zyxel devices becoming an attack magnet for threat actors, it's imperative that customers apply the fixes as soon as possible to prevent potential risks.
News URL
https://thehackernews.com/2023/06/zyxel-releases-urgent-security-updates.html
Related news
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Security Vulnerability in Saflok’s RFID-Based Keycard Locks (source)
- Critical Security Flaw Found in Popular LayerSlider WordPress Plugin (source)
- Security Vulnerability of HTML Emails (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 9.8 |