Security News Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
593
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems.

Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability.

"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,281
Zyxel, a company that has struggled with software security problems, documented at least 15 security flaws in a range of products and warned that unpatched devices are at risk of authentication bypass, command injection and denial-of-service attacks.

The company is calling special attention to exposed attack surfaces in its firewalls and access points, warning that multiple devices can be exploited to access configuration files, steal sensitive cookies, launch denial-of-service conditions or execute commands.

In some cases, Zyxel said its firewalls and access points could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device or access the administrator’s logs on an affected device.

The hardware vendor also shipped a second bulletin to warn of authentication bypass vulnerability and command injection vulnerabilities in two NAS (network attached storage) products.

In all, Zyxel documented six separate flaws in the NAS226 and NAS542 cloud storage devices, noting that attackers can exploit the flaws to capture sensitive system information or execute some operating system (OS) commands via booby-trapped URLs.

Security defects in Zyxel products feature prominents in the CISA KEV (Known Exploited Vulnerabilities) catalog and the company has acknowledged its devices have been ensnared in multiple DDoS-capable botnets.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top