On June 20, 2023, Zyxel, a well-known network-attached storage (NAS) device manufacturer, disclosed a critical security flaw known as CVE-2023-27992. This pre-authentication command injection vulnerability has been assigned a high CVSS score of 9.8, indicating its severe impact and ease of exploitation. Read on to learn more about this vulnerability and the steps you can take to ensure your network environment is secure.
Zyxel is a global technology and networking solution provider, offering a wide range of devices, including network-attached storage (NAS). The company serves small- to medium-sized businesses and enterprises in partnership with VARs, MSPs and systems integrators.
A command injection is a cyberattack that involves executing arbitrary commands on a host operating system (OS). This could allow the attacker to gain access to sensitive information and ultimately lead to a complete compromise of the system.
In the case of Zyxel, an unauthenticated threat actor could remotely execute operating system commands by sending a specially crafted HTTP request.
This flaw affects the following Zyxel NAS devices:
This critical disclosure follows recent reports of active exploitation of two other vulnerabilities in Zyxel’s firewall devices (CVE-2023-33009 and CVE-2023-33010), further intensifying the scrutiny of Zyxel’s products. With increasing interest from threat actors, it is imperative for Zyxel’s customers to promptly apply the provided security patches to mitigate the potential risks.
Zyxel’s customers should review and monitor their security advisory on the vulnerability.
Nuspire is not affected by this vulnerability, and threat hunts within client environments for indications of compromise.
Given the critical nature of the Zyxel pre-authentication command injection vulnerability and the increasing focus on the company’s devices by threat actors, users are strongly urged to: