Zyxel released security updates to address a critical security flaw, tracked as (CVSS score: 9.8), affecting its network-attached storage (NAS) devices.
The vulnerability is a pre-authentication command injection issue that impacts the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0. A remote, unauthenticated attacker can exploit the vulnerability to execute some operating system (OS) commands by sending a specially crafted HTTP request.
“Zyxel has released patches addressing a pre-authentication command injection vulnerability in some NAS versions.” reads the published by Zyxel. “The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request,”
The vulnerability was reported by Andrej Zaujec, NCSC-FI, and Maxim Suslov.
In early June, Zyxel published guidance for protecting firewall and VPN devices from the ongoing attacks and exploiting , , and vulnerabilities.
Threat actors are actively attempting to exploit the command injection vulnerability impacting Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems. US CISA the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.
In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices. The company promptly advised customers to install the provided patches in order to mitigate the vulnerability.
The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.
The other two issues, tracked as and , are critical buffer overflow vulnerabilities. A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.
The company states that devices under attack become unresponsive and their Web GUI or SSH management interface are not reachable.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, firewall)