Data loss and arbitrary code execution may occur — You need to update your hardware immediately.
Zyxel has discovered several serious vulnerabilities in its network attached storage (NAS) devices, including three critical ones that could allow unauthorized attackers to execute arbitrary commands on vulnerable devices.
Zyxel NAS systems are used for centralized data storage on the network and are designed to work with large amounts of information. They offer features like backup, media streaming, and customizing sharing options.
Typical users of Zyxel NAS include small and medium-sized enterprises that are looking for solutions for data management, remote and collaborative work with them. In addition to the corporate sphere, NAS is in demand among some IT professionals, videographers, and digital artists who work with large files.
In the security bulletin published on November 30, the manufacturer warns about the following vulnerabilities affecting NAS326 devices with firmware version 5.21(AAZF.14)C0 and earlier, as well as NAS542 devices with version 5.21(ABAG. 11) C0 and earlier:
Attackers can use the above vulnerabilities to gain unauthorized access, execute operating system commands, obtain confidential system information, or take full control of the affected Zyxel NAS devices.
To address these risks, NAS326 users are advised to upgrade to V5.21(AAZF.15)C0 or later. NAS542 users should update their firmware to V5. 21 (ABAG. 12) C0 or later to address the above security flaws.
The manufacturer did not provide any mitigation tips or workarounds, recommending a firmware update as the main protective action.
Zyxel has discovered several serious vulnerabilities in its network attached storage (NAS) devices, including three critical ones that could allow unauthorized attackers to execute arbitrary commands on vulnerable devices.
Zyxel NAS systems are used for centralized data storage on the network and are designed to work with large amounts of information. They offer features like backup, media streaming, and customizing sharing options.
Typical users of Zyxel NAS include small and medium-sized enterprises that are looking for solutions for data management, remote and collaborative work with them. In addition to the corporate sphere, NAS is in demand among some IT professionals, videographers, and digital artists who work with large files.
In the security bulletin published on November 30, the manufacturer warns about the following vulnerabilities affecting NAS326 devices with firmware version 5.21(AAZF.14)C0 and earlier, as well as NAS542 devices with version 5.21(ABAG. 11) C0 and earlier:
- CVE-2023-35137: vulnerability in the Zyxel NAS device authentication module that allows unauthorized attackers to access system information via a specially created URL (CVSS 7.5 score);
- CVE-2023-35138: Command injection vulnerability in the "show_zysync_server_contents" function of Zyxel NAS devices, which allows unauthorized attackers to execute OS commands via a specially created HTTP POST request (CVSS 9.8 score);
- CVE-2023-37927: vulnerability in the CGI program of Zyxel NAS devices that allows authenticated attackers to execute OS commands using a specially created URL (CVSS score 8.8);
- CVE-2023-37928: Command injection authentication vulnerability in the WSGI server of Zyxel NAS devices that allows authenticated attackers to execute OS commands via a specially created URL (CVSS score 8.8);
- CVE-2023-4473: Command injection vulnerability in the Zyxel NAS device web server that allows unauthorized attackers to execute OS commands via a specially created URL (CVSS 9.8 score);
- CVE-2023-4474: vulnerability in the WSGI server of Zyxel NAS devices that allows unauthorized attackers to execute OS commands using a specially created URL (CVSS — 9.8 score).
Attackers can use the above vulnerabilities to gain unauthorized access, execute operating system commands, obtain confidential system information, or take full control of the affected Zyxel NAS devices.
To address these risks, NAS326 users are advised to upgrade to V5.21(AAZF.15)C0 or later. NAS542 users should update their firmware to V5. 21 (ABAG. 12) C0 or later to address the above security flaws.
The manufacturer did not provide any mitigation tips or workarounds, recommending a firmware update as the main protective action.
