Zyxel Has Released Patches Addressing a Pre-Authentication Command Injection Vulnerability in Some NAS Versions

Reference:
Advisory #2023-72

Version:
1.0

Affected software:
NAS326, version V5.21(AAZF.13)C0 and earlier
NAS540, version V5.21(AATB.10)C0 and earlier
NAS542, version V5.21(ABAG.10)C0 and earlier

Type:
OS Command Injection

CVE/CVSS:
CVE-2023-27992

Sources

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products
https://nvd.nist.gov/vuln/detail/CVE-2023-27992

Risks

Successful exploitation of the critical vulnerability allows an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.

Description

CVE-2023-27992 is a pre-authentication command injection vulnerability in some NAS (Network Attached Storage) devices.

Affected products:

• NAS326, version V5.21(AAZF.13)C0 and earlier
• NAS540, version V5.21(AATB.10)C0 and earlier
• NAS542, version V5.21(ABAG.10)C0 and earlier

The flaw was discovered by Andrej Zaujec, NCSC-FI, and Maxim Suslov and has received a CVSS v3 score of 9.8.

Recommended Actions

To address the vulnerabilities, Zyxel advises users to patch, using the patches mentioned in their advisory, available at:

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products
https://nvd.nist.gov/vuln/detail/CVE-2023-27992
https://www.zyxel.com/global/en/support/download?model=nas326
https://www.zyxel.com/global/en/support/download?model=nas540