Critical Vulnerability Discovered in Patched Zyxel Storage Devices

On June 20, 2023, Zyxel, a well-known network-attached storage (NAS) device manufacturer, disclosed a critical security flaw known as CVE-2023-27992. This pre-authentication command injection vulnerability has been assigned a high CVSS score of 9.8, indicating its severe impact and ease of exploitation. Read on to learn more about this vulnerability and the steps you can take to ensure your network environment is secure.  

Who is Zyxel?

Zyxel is a global technology and networking solution provider, offering a wide range of devices, including network-attached storage (NAS). The company serves small- to medium-sized businesses and enterprises in partnership with VARs, MSPs and systems integrators.  

Tell me about the Zyxel pre-authentication command injection vulnerability

A command injection is a cyberattack that involves executing arbitrary commands on a host operating system (OS). This could allow the attacker to gain access to sensitive information and ultimately lead to a complete compromise of the system. 

In the case of Zyxel, an unauthenticated threat actor could remotely execute operating system commands by sending a specially crafted HTTP request.  

This flaw affects the following Zyxel NAS devices: 

  • NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0) 
  • NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0) 
  • NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0) 

This critical disclosure follows recent reports of active exploitation of two other vulnerabilities in Zyxel’s firewall devices (CVE-2023-33009 and CVE-2023-33010), further intensifying the scrutiny of Zyxel’s products. With increasing interest from threat actors, it is imperative for Zyxel’s customers to promptly apply the provided security patches to mitigate the potential risks. 

Zyxel’s customers should review and monitor their security advisory on the vulnerability. 

What is Nuspire doing?

Nuspire is not affected by this vulnerability, and threat hunts within client environments for indications of compromise. 

What should I do?

Given the critical nature of the Zyxel pre-authentication command injection vulnerability and the increasing focus on the company’s devices by threat actors, users are strongly urged to: 

  • Apply the latest security patches to their Zyxel NAS devices as follows: 
  • For NAS326, upgrade to V5.21(AAZF.14)C0 or later 
  • For NAS540, upgrade to V5.21(AATB.11)C0 or later 
  • For NAS542, upgrade to V5.21(ABAG.11)C0 or later 
  • Continuously monitor updates from Zyxel regarding this vulnerability 

Have you registered for our next event?