Security News > 2023 > June > Zyxel warns of critical command injection flaw in NAS devices

Zyxel is warning its NAS devices users to update their firmware to fix a critical severity command injection vulnerability.

Zyxel has provided no workarounds or mitigations for CVE-2023-27992 in its latest advisory, so users of the impacted NAS devices are recommended to apply the available security updates as soon as possible.

BleepingComputer also strongly advises that all NAS owners not expose their devices to the Internet and make them only accessible from the local network or through a VPN. Simply placing the NAS device behind a firewall will significantly reduce its exposure to new vulnerabilities, as threat actors cannot easily target them.

Hackers are always searching for critical flaws on Zyxel devices that can be exploited remotely and are quick to adopt publicly available PoC exploits to attack devices that haven't been patched to a secure firmware version.

NAS devices are a particularly enticing target for ransomware operations that remotely exploit vulnerabilities to encrypt files and issue ransom demands.

In the past, QNAP and Synology NAS devices have been targeted by ransomware in widespread attacks.

News URL

https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-command-injection-flaw-in-nas-devices/