Zyxel security advisory for pre-authentication command injection vulnerability in NAS products




CVE: CVE-2023-27992
Summary
Zyxel has released patches addressing a pre-authentication command injection vulnerability in some NAS versions. Users are advised to install them for optimal protection.
What is the vulnerability?
The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.
Affected model | Affected version | Patch availability |
---|---|---|
NAS326 | V5.21(AAZF.13)C0 and earlier | |
NAS540 | V5.21(AATB.10)C0 and earlier | |
NAS542 | V5.21(ABAG.10)C0 and earlier |
Got a question?
Please contact your local service rep or visit Zyxel’s community for further information or assistance.
Acknowledgment
Thanks to Andrej Zaujec, NCSC-FI, and Maxim Suslov for reporting the issue to us.
Revision history
2023-06-20: Initial release.
Categories
- All Categories
- 199 Beta Program
- 1.8K Nebula
- 94 Nebula Ideas
- 63 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 52 Switch Ideas
- 919 WirelessLAN
- 28 WLAN Ideas
- 5.4K Consumer Product
- 173 Service & License
- 296 News and Release
- 65 Security Advisories
- 14 Education Center
- 1K FAQ
- 455 Nebula FAQ
- 258 Security FAQ
- 100 Switch FAQ
- 115 WirelessLAN FAQ
- 22 Consumer Product FAQ
- 70 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 52 Security Highlight