Zyxel has released patches to deal with 15 security issues impacting network-hooked up storage (NAS), firewall, and obtain stage (AP) units, like three critical flaws that could lead to authentication bypass and command injection.
The a few vulnerabilities are outlined down below –
- CVE-2023-35138 (CVSS rating: 9.8) – A command injection vulnerability that could permit an unauthenticated attacker to execute some operating technique instructions by sending a crafted HTTP Publish ask for.
- CVE-2023-4473 (CVSS rating: 9.8) – A command injection vulnerability in the web server that could let an unauthenticated attacker to execute some operating method instructions by sending a crafted URL to a susceptible product.
- CVE-2023-4474 (CVSS rating: 9.8) – An improper neutralization of specific aspects vulnerability that could enable an unauthenticated attacker to execute some operating program instructions by sending a crafted URL to a susceptible device.
Also patched by Zyxel are three high-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928) that, if effectively exploited, could allow attackers to obtain method data and execute arbitrary instructions. It really is value noting that both of those CVE-2023-37927 and CVE-2023-37928 need authentication.
The flaws influence the subsequent versions and variations –
- NAS326 – versions V5.21(AAZF.14)C0 and previously (Patched in V5.21(AAZF.15)C0)
- NAS542 – versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory arrives days following the Taiwanese networking seller transported fixes for nine flaws in pick firewall and entry position (AP) versions, some of which could be weaponized to entry method information and administrator logs, as properly as cause a denial-of-assistance (DoS) ailment.
With Zyxel equipment often exploited by menace actors, it is really really suggested that buyers use the most current updates to mitigate prospective threats.
Observed this posting exciting? Observe us on Twitter and LinkedIn to browse far more special information we put up.
Some pieces of this write-up are sourced from: