Zyxel security advisory for post-authentication command injection vulnerability in NAS products

Zyxel_May Posts: 118  Ally Member
First Anniversary First Comment

CVE: CVE-2023-5372


Zyxel has released patches addressing a post-authentication command injection vulnerability in some NAS versions. Users are advised to install them for optimal protection.

What is the vulnerability?

The post-authentication command injection vulnerability in some Zyxel NAS devices could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the products affected* at the time of the issue report and provided the firmware patches outlined in the table below.

Affected model

Affected version

Patch availability


V5.21(AAZF.15)C0 and earlier



V5.21(ABAG.12)C0 and earlier


*Note that both the vulnerable models reached end-of-vulnerability-support on Dec. 31, 2023.

Got a question?

Please contact your local service rep or visit Zyxel’s community for further information or assistance.


Thanks to Gábor Selján from BugProve for reporting the issue to us.

Revision history

2024-1-30: Initial release.