Zyxel patches critical vulnerability in NAS devices (CVE-2023-27992)

Zyxel has released firmware patches for a critical vulnerability (CVE-2023-27992) in some of its consumer network attached storage (NAS) devices.

About CVE-2023-27992

CVE-2023-27992 is an OS command injection flaw that could be triggered remotely by an unauthenticated attacker, via a specially crafted HTTP request.

It affects the following Zyxel NAS devices:

• NAS326 – firmware versions prior to V5.21(AAZF.14)C0
• NAS540 – firmware versions prior to V5.21(AATB.11)C0
• NAS542 – firmware versions prior to V5.21(ABAG.11)C0

Andrej Zaujec, National Cyber Security Centre Finland (NCSC-FI), and Maxim Suslov have been credited with reporting the vulnerability.

Patch quickly!

NAS devices are often targeted by attackers wielding specialized ransomware and malware such as the Mirai bot (and variants).

There is currently no indication that CVE-2023-27992 is being actively exploited. Since Zyxel does not mention workarounds or mitigations, owners/admins of the aforementioned NAS device models are advised to quickly upgrade to the latest firmware version.