Pierluigi Paganini June 20, 2023

Zyxel released security updates to address a critical vulnerability affecting its network-attached storage (NAS) devices.

Zyxel released security updates to address a critical security flaw, tracked as CVE-2023-27992 (CVSS score: 9.8), affecting its network-attached storage (NAS) devices.

The vulnerability is a pre-authentication command injection issue that impacts the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0. A remote, unauthenticated attacker can exploit the vulnerability to execute some operating system (OS) commands by sending a specially crafted HTTP request.

“Zyxel has released patches addressing a pre-authentication command injection vulnerability in some NAS versions.” reads the advisory published by Zyxel. “The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request,”

The vulnerability was reported by Andrej Zaujec, NCSC-FI, and Maxim Suslov.

In early June, Zyxel published guidance for protecting firewall and VPN devices from the ongoing attacks and exploiting  CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 vulnerabilities.

Threat actors are actively attempting to exploit the command injection vulnerability  CVE-2023-28771 impacting Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems. US CISA added the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.

In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices. The company promptly advised customers to install the provided patches in order to mitigate the vulnerability.

The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.

The other two issues, tracked as CVE-2023-33009 and CVE-2023-33010, are critical buffer overflow vulnerabilities. A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.

The company states that devices under attack become unresponsive and their Web GUI or SSH management interface are not reachable.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, firewall)