Security News > 2023 > June > Zyxel warns of critical command injection flaw in NAS devices
Zyxel is warning its NAS devices users to update their firmware to fix a critical severity command injection vulnerability.
Zyxel has provided no workarounds or mitigations for CVE-2023-27992 in its latest advisory, so users of the impacted NAS devices are recommended to apply the available security updates as soon as possible.
BleepingComputer also strongly advises that all NAS owners not expose their devices to the Internet and make them only accessible from the local network or through a VPN. Simply placing the NAS device behind a firewall will significantly reduce its exposure to new vulnerabilities, as threat actors cannot easily target them.
Hackers are always searching for critical flaws on Zyxel devices that can be exploited remotely and are quick to adopt publicly available PoC exploits to attack devices that haven't been patched to a secure firmware version.
NAS devices are a particularly enticing target for ransomware operations that remotely exploit vulnerabilities to encrypt files and issue ransom demands.
In the past, QNAP and Synology NAS devices have been targeted by ransomware in widespread attacks.
News URL
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- QNAP addresses critical flaws across NAS, router software (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 0.0 |