www.belgium.be Logo of the federal government

Zyxel Has Released Patches Addressing a Pre-Authentication Command Injection Vulnerability in Some NAS Versions

Reference: 
Advisory #2023-72
Version: 
1.0
Affected software: 
NAS326, version V5.21(AAZF.13)C0 and earlier
NAS540, version V5.21(AATB.10)C0 and earlier
NAS542, version V5.21(ABAG.10)C0 and earlier
Type: 
OS Command Injection
CVE/CVSS: 

CVE-2023-27992

Sources

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products
https://nvd.nist.gov/vuln/detail/CVE-2023-27992

Risks

Successful exploitation of the critical vulnerability allows an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.

Description

CVE-2023-27992 is a pre-authentication command injection vulnerability in some NAS (Network Attached Storage) devices.

Affected products:

  • NAS326, version V5.21(AAZF.13)C0 and earlier
  • NAS540, version V5.21(AATB.10)C0 and earlier
  • NAS542, version V5.21(ABAG.10)C0 and earlier

The flaw was discovered by Andrej Zaujec, NCSC-FI, and Maxim Suslov and has received a CVSS v3 score of 9.8.

Recommended Actions

To address the vulnerabilities, Zyxel advises users to patch, using the patches mentioned in their advisory, available at:

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products
https://nvd.nist.gov/vuln/detail/CVE-2023-27992
https://www.zyxel.com/global/en/support/download?model=nas326
https://www.zyxel.com/global/en/support/download?model=nas540