The Software Engineering Institute CERT Coordination Center advised that several ZyXEL network-attached storage devices contain a pre-authentication command injection vulnerability.

CVE-2020-9054, if exploited, could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. The problem is it uses the weblogin.cgi CGI executable for authentication and that program fails to properly sanitize the username parameter it obtains.

“By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker,” the advisory stated.

The problem can be mitigated through firmware updates, which are now available for ZyXEL models NAS326, NAS520, NAS540, and NAS542 devices.

Unfortunately, the following devices are also vulnerable but cannot be updated as they are no longer supported: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.