Zyxel warns of multiple critical vulnerabilities in NAS devices

Zyxel has addressed multiple security issues, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage (NAS) devices.

Zyxel NAS systems are used for storing data in a centralized location on the network. They are designed for high volumes of data and offer features like data backup, media streaming, or customized sharing options.

Typical Zyxel NAS users include small to medium-sized businesses seeking a solution that combines data management, remote work, and collaboration features, as well as IT professionals setting up data redundancy systems, or videographers and digital artists working with large files.

In a security bulletin today, the vendor warns of the following flaws impacting NAS326 devices running version 5.21(AAZF.14)C0 and earlier, and NAS542 with version 5.21(ABAG.11)C0 and earlier.

  • CVE-2023-35137: Improper authentication vulnerability in Zyxel NAS devices' authentication module, allowing unauthenticated attackers to obtain system information via a crafted URL. (high-severity score of 7.5)
  • CVE-2023-35138: Command injection flaw in the "show_zysync_server_contents" function in Zyxel NAS devices, permitting unauthenticated attackers to execute OS commands through a crafted HTTP POST request. (critical-severity score of 9.8)
  • CVE-2023-37927: Vulnerability in Zyxel NAS devices' CGI program, enabling authenticated attackers to execute OS commands with a crafted URL. (high-severity score of 8.8)
  • CVE-2023-37928: Post-authentication command injection in Zyxel NAS devices' WSGI server, allowing authenticated attackers to execute OS commands via a crafted URL. (high-severity score of 8.8)
  • CVE-2023-4473: Command injection flaw in the web server of Zyxel NAS devices, permitting unauthenticated attackers to execute OS commands through a crafted URL. (critical-severity score of 9.8)
  • CVE-2023-4474: Vulnerability in the WSGI server of Zyxel NAS devices, allowing unauthenticated attackers to execute OS commands with a crafted URL. (critical-severity score of 9.8)

Threat actors could exploit the vulnerabilities above to gain unauthorized access, execute some operating system commands, obtain sensitive system information, or to take complete control of the affected Zyxel NAS devices. 

To address these risks, users of NAS326 are recommended to upgrade to version V5.21(AAZF.15)C0 or later. Users of NAS542 should upgrade their firmware to V5.21(ABAG.12)C0 or later, which fix the above flaws.

The vendor has provided no mitigation advice or workarounds, a firmware update being the recommended action.


Update 12/4 - More details about four of the six flaws highlighted above, which were discovered by security researchers at BugProve, can be found here and here.

Related Articles:

ScreenConnect critical bug now under attack as exploit code emerges

Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure

JetBrains warns of new TeamCity auth bypass vulnerability

Newest Ivanti SSRF zero-day now under mass exploitation

Fortra warns of new critical GoAnywhere MFT auth bypass, patch now