Home Latest Cyber Security News | Network Security Hacking Severe OS Command Injection Vulnerability Caught In Zyxel NAS Products
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Severe OS Command Injection Vulnerability Caught In Zyxel NAS Products

by Abeerah Hashim
written by Abeerah Hashim
Zyxel NAS devices exhibited critical security flaws

Heads up, Zyxel users! The vendors have recently released patches for a serious security vulnerability affecting Zyxel NAS products. Exploiting the vulnerability could allow executing arbitrary commands on the target devices. Users must rush to update their devices with patched firmware releases to avoid potential attacks.

Zyxel NAS OS Command Injection Vulnerability

According to a recent advisory from the networking technology giant Zyxel Networks, their NAS devices had a critical security vulnerability.

Zyxel offers a range of NAS (Network Attached Storage) devices for personal and professional users to store their data securely. These cloud-enabled devices empower the users to store and access their data from the NAS at any time without fearing third-party breaches. All it takes is a WiFi connection to transfer photos, videos, and other personal or business stuff to the NAS device.

While that sounds helpful and less risky, any vulnerabilities affecting these devices directly make the users’ data vulnerable.

As explained in the advisory, the vendor addressed an OS command injection vulnerability affecting its NAS devices’ firmware. The vulnerability could allow an unauthenticated adversary to execute remote OS commands on the target devices by sending maliciously crafted HTTP requests.

The vulnerability affects three different Zyxel NAS models, which include the following.

  • NAS326 – V5.21(AAZF.13)C0 and earlier
  • NAS540 – V5.21(AATB.10)C0 and earlier
  • NAS542 – V5.21(ABAG.10)C0 and earlier

After detecting the flaw, the vendor quickly worked on patching the bug, releasing the fix with the following updates.

  • NAS326 – V5.21(AAZF.14)C0
  • NAS540 – V5.21(AATB.11)C0
  • NAS542 – V5.21(ABAG.11)C0

This pre-authentication OS command injection vulnerability (CVE-2023-27992) received a critical severity rating with a CVSS score of 9.8. Zyxel acknowledged Andrej Zaujec from the National Cyber Security Centre Finland (NCSC-FI), and Maxim Suslov for reporting the flaw.

Although the vendor has currently not mentioned anything about detecting active exploitation of the vulnerability. Yet, they urge the users to update their respective devices with the latest firmware updates to receive the bug fixes in time.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...