Security News > 2023 > November > Zyxel warns of multiple critical vulnerabilities in NAS devices

Zyxel warns of multiple critical vulnerabilities in NAS devices
2023-11-30 15:11

Zyxel has addressed multiple security issues, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage devices.

Zyxel NAS systems are used for storing data in a centralized location on the network.

Typical Zyxel NAS users include small to medium-sized businesses seeking a solution that combines data management, remote work, and collaboration features, as well as IT professionals setting up data redundancy systems, or videographers and digital artists working with large files.

CVE-2023-35137: Improper authentication vulnerability in Zyxel NAS devices' authentication module, allowing unauthenticated attackers to obtain system information via a crafted URL. CVE-2023-35138: Command injection flaw in the "Show zysync server contents" function in Zyxel NAS devices, permitting unauthenticated attackers to execute OS commands through a crafted HTTP POST request.

QNAP warns of critical command injection flaws in QTS OS, apps.

Fortinet warns of critical command injection bug in FortiSIEM. UK and South Korea: Hackers use zero-day in supply-chain attack.


News URL

https://www.bleepingcomputer.com/news/security/zyxel-warns-of-multiple-critical-vulnerabilities-in-nas-devices/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-30 CVE-2023-35138 OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware
A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
0.0
2023-11-30 CVE-2023-35137 Unspecified vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware
An improper authentication vulnerability in the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.
network
low complexity
zyxel
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 378 0 69 85 46 200