Zyxel addressed critical flaw CVE-2023-27992 in NAS Devices

Zyxel released security updates to address a critical vulnerability affecting its network-attached storage (NAS) devices.

Zyxel released security updates to address a critical security flaw, tracked as CVE-2023-27992 (CVSS score: 9.8), affecting its network-attached storage (NAS) devices.

The vulnerability is a pre-authentication command injection issue that impacts the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0. A remote, unauthenticated attacker can exploit the vulnerability to execute some operating system (OS) commands by sending a specially crafted HTTP request.

“Zyxel has released patches addressing a pre-authentication command injection vulnerability in some NAS versions.” reads the advisory published by Zyxel. “The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request,”

The vulnerability was reported by Andrej Zaujec, NCSC-FI, and Maxim Suslov.

In early June, Zyxel published guidance for protecting firewall and VPN devices from the ongoing attacks and exploiting CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 vulnerabilities.

Threat actors are actively attempting to exploit the command injection vulnerability CVE-2023-28771 impacting Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems. US CISA added the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.

In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices. The company promptly advised customers to install the provided patches in order to mitigate the vulnerability.

The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.

The other two issues, tracked as CVE-2023-33009 and CVE-2023-33010, are critical buffer overflow vulnerabilities. A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.

The company states that devices under attack become unresponsive and their Web GUI or SSH management interface are not reachable.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, firewall)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.