Zyxel has patched a high-severity authenticated command injection vulnerability (CVE-2023-27988) in some of its network attached storage (NAS) devices aimed at home users.
About the vulnerability (CVE-2023-27988)
The vulnerability was discovered in the devices’ web management interface.
“An authenticated attacker with administrator privileges could leverage this vulnerability to execute some operating system (OS) commands on an affected device remotely,” Zyxel has confirmed.
The following versions of the Zyxel NAS devices are affected:
- NAS326 version 5.21(AAZF.12)C0 and earlier
- NAS540 version 5.21(AAZF.9)C0 and earlier
- NAS542 version 5.21(AAZF.9)C0 and earlier
The vulnerability has been reported by Sternum researchers, who released a root cause analysis of the flaw and described how they made the target devices do something they usually wouldn’t.
“These tests also confirmed that the vulnerability we found could be used by an authenticated user to execute an arbitrary system command with root privileges on the device. Consequently, they could be used for a more malicious purpose—for instance, for a remote malware injection,” they explained.
Zyxel has released firmware patches on Tuesday (May 30) and users should implement them as quickly as possible. The company has not mentioned possible workarounds.
There is currently no mention of the vulnerability being exploited by attackers, but NAS devices are generally an attractive target for cyber criminals, as evidenced by past ransomware attacks targeting QNAP NAS devices.