June 21, 2023

Zyxel released a security advisory addressing critical vulnerability affecting its network-attached storage (NAS) devices which might result in remote code execution (RCE).

The Vulnerability

• CVE-2023-27992 (CVSS:3.1 – 9.8, Critical) – RCE vulnerability in Zyxel NAS different versions. An unauthenticated threat actor could exploit this vulnerability by remotely executing certain operating system (OS) commands through a crafted HTTP request.

Vulnerable Versions

• NAS326 (V5.21(AAZF.13)C0 and earlier.
• NAS540 (V5.21(AATB.10)C0 and earlier.
• NAS542 (V5.21(ABAG.10)C0 and earlier

Mitigation

CYREBRO recommends to update all affected products to the latest firmware versions.

References: Zyxel Advisory