Vulnerability Management, Endpoint/Device Security

Critical Zyxel NAS vulnerability fixed

Security updates have been issued by Zyxel to resolve a critical pre-authentication command injection flaw impacting certain network-attached storage devices, according to The Hacker News. Threat actors could exploit the vulnerability, tracked as CVE-2023-27992, to facilitate arbitrary command execution. "The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request," said Zyxel. Among the Zyxel NAS devices affected by the flaw are NAS326 V5.21(AAZF.13)C0 and earlier, NAS540 V5.21(AATB.10)C0 and earlier, and NAS542 V5.21(ABAG.10)C0 and earlier. Immediate application of the released updates has been urged by Zyxel amid increased targeting of its devices, with the Cybersecurity and Infrastructure Security Agency recently updating its Known Exploited Vulnerabilities catalog to include two Zyxel firewall bugs, tracked as CVE-2023-33009 and CVE-2023-33010, following the discovery of active attacks leveraging the flaws.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.