Zyxel is warning users of its Network Attached Storage (NAS) devices to update their firmware to address a critically severe command injection vulnerability.
The newly discovered vulnerability, CVE-2023-27992is a pre-authentication command injection issue that could allow an unauthenticated attacker to execute operating system commands by sending specially crafted HTTP requests.
The flaw was discovered by Andrej Zaujec, NCSC-FI, and Maxim Suslov and received a CVSS v3 score of 9.8, calling it “critical”.
The affected devices, firmware versions and fixed versions are:
- NAS326 – impacts V5.21(AAZF.13)C0 and earlier, fixed in V5.21(AAZF.14)C0
- NAS540 – impacts V5.21(AATB.10)C0 and earlier, fixed in V5.21(AATB.11)C0
- NAS542 – impacts V5.21(ABAG.10)C0 and earlier, fixed in V5.21(ABAG.11)C0
Zyxel did not provide any workaround or mitigation for CVE-2023-27992 in its last noticeusers of affected NAS devices are therefore recommended to apply available security updates as soon as possible.
BleepingComputer also strongly advises all NAS owners not to expose their devices to the internet and only make them accessible from the local network or via a VPN. Simply placing the NAS device behind a firewall will greatly reduce its exposure to new vulnerabilities, as hackers cannot easily target them.
Currently, the complexity of the malicious HTTP request and other conditions for exploiting the new vulnerabilities are unknown. However, the fact that the exploit does not require authentication makes this flaw easier to exploit.
Hackers are always on the lookout for critical flaws in Zyxel devices that can be exploited remotely and are quickly adopting publicly available PoC (proof of concept) exploits to attack devices that have not been patched to a firmware version secure.
NAS devices are a particularly attractive target for ransomware operations that remotely exploit vulnerabilities to encrypt files and issue ransom demands. In the past, QNAP and Synology NAS devices were targeted by ransomware In widespread attacks.
Just last month, users of Zyxel firewalls and VPN products were subjected to enormous attack waves Mirai-based botnets and may have been targeted by more selective and sophisticated malicious actors.
Attackers actively targeted CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 flaws, impacting ATP, USG FLEX, VPN, and ZyWALL devices.
At the beginning of June, the publisher published a security advisory containing protection tips these products against attacks that had been going on for more than a month.
That said, it’s crucial to take quick action to secure Zyxel NAS devices and their valuable data, as attacks can begin any time now.