Zyxel has rolled out safety updates to handle a vital safety flaw in its network-attached storage (NAS) units that would end result within the execution of arbitrary instructions on affected techniques.
Tracked as CVE-2023-27992 (CVSS rating: 9.8), the problem has been described as a pre-authentication command injection vulnerability.
“The pre-authentication command injection vulnerability in some Zyxel NAS units might enable an unauthenticated attacker to execute some working system (OS) instructions remotely by sending a crafted HTTP request,” Zyxel mentioned in an advisory revealed at the moment.
Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with discovering and reporting the flaw. The next variations are impacted by CVE-2023-27992 –
- NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0),
- NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
- NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The alert comes two weeks after the U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added two flaws in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
With Zyxel units changing into an assault magnet for menace actors, it is crucial that prospects apply the fixes as quickly as potential to stop potential dangers.