Security News > 2023 > December > Critical Zyxel NAS vulnerabilities patched, update quickly!
Zyxel has patched six vulnerabilities affecting its network attached storage devices, including several command injection flaws that can be easily exploited by unauthenticated attackers.
One of the six plugged security holes is an improper authentication vulnerability in the devices' authentication module, and may allow unauthenticated attackers to grab system information by sending a specially crafted URL to a vulnerable device.
The remaining five are command injection vulnerabilities in Zyxel NAS devices' various functions and servers.
"During the course of investigating the original issue's root cause, a new flaw, CVE-2023-4473, and a bypass for the CVE-2023-27992 patch were uncovered. Combined, they allow for pre-authenticated remote code execution on Zyxel NAS devices," Balfour noted in a blog post published on Thursday, in which he detailed his research.
Zyxel NAS devices are a popular choice with small to medium-sized businesses, who use them for data storage, backup, and to enable collaboration.
In 2020, 62,000 QNAP NAS devices across the globe were infected with malware that stole sensitive information, established a backdoor into the system, and persisted on the devices by preventing updates from being installed.
News URL
https://www.helpnetsecurity.com/2023/12/01/zyxel-nas-vulnerabilities/
Related news
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities (source)
- Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- OpenAI now pays researchers $100,000 for critical vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-30 | CVE-2023-4473 | Unspecified vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. | 0.0 |
| 2023-06-19 | CVE-2023-27992 | OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. | 9.8 |