Security News > 2023 > June > Zyxel warns of critical command injection flaw in NAS devices

Zyxel warns of critical command injection flaw in NAS devices
2023-06-20 14:26

Zyxel is warning its NAS devices users to update their firmware to fix a critical severity command injection vulnerability.

Zyxel has provided no workarounds or mitigations for CVE-2023-27992 in its latest advisory, so users of the impacted NAS devices are recommended to apply the available security updates as soon as possible.

BleepingComputer also strongly advises that all NAS owners not expose their devices to the Internet and make them only accessible from the local network or through a VPN. Simply placing the NAS device behind a firewall will significantly reduce its exposure to new vulnerabilities, as threat actors cannot easily target them.

Hackers are always searching for critical flaws on Zyxel devices that can be exploited remotely and are quick to adopt publicly available PoC exploits to attack devices that haven't been patched to a secure firmware version.

NAS devices are a particularly enticing target for ransomware operations that remotely exploit vulnerabilities to encrypt files and issue ransom demands.

In the past, QNAP and Synology NAS devices have been targeted by ransomware in widespread attacks.


News URL

https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-command-injection-flaw-in-nas-devices/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-19 CVE-2023-27992 OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
network
low complexity
zyxel CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 382 0 82 95 51 228