Security News > 2023 > December > Critical Zyxel NAS vulnerabilities patched, update quickly!

Critical Zyxel NAS vulnerabilities patched, update quickly!
2023-12-01 11:21

Zyxel has patched six vulnerabilities affecting its network attached storage devices, including several command injection flaws that can be easily exploited by unauthenticated attackers.

One of the six plugged security holes is an improper authentication vulnerability in the devices' authentication module, and may allow unauthenticated attackers to grab system information by sending a specially crafted URL to a vulnerable device.

The remaining five are command injection vulnerabilities in Zyxel NAS devices' various functions and servers.

"During the course of investigating the original issue's root cause, a new flaw, CVE-2023-4473, and a bypass for the CVE-2023-27992 patch were uncovered. Combined, they allow for pre-authenticated remote code execution on Zyxel NAS devices," Balfour noted in a blog post published on Thursday, in which he detailed his research.

Zyxel NAS devices are a popular choice with small to medium-sized businesses, who use them for data storage, backup, and to enable collaboration.

In 2020, 62,000 QNAP NAS devices across the globe were infected with malware that stole sensitive information, established a backdoor into the system, and persisted on the devices by preventing updates from being installed.


News URL

https://www.helpnetsecurity.com/2023/12/01/zyxel-nas-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-30 CVE-2023-4473 Unspecified vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware
A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.
0.0
2023-06-19 CVE-2023-27992 OS Command Injection vulnerability in Zyxel Nas326 Firmware, Nas540 Firmware and Nas542 Firmware
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 378 0 69 85 46 200