Zyxel has rolled out security updates to handle a critical security flaw in its network-connected storage (NAS) gadgets that could final result in the execution of arbitrary commands on impacted devices.
Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been explained as a pre-authentication command injection vulnerability.
“The pre-authentication command injection vulnerability in some Zyxel NAS units could let an unauthenticated attacker to execute some operating system (OS) instructions remotely by sending a crafted HTTP ask for,” Zyxel claimed in an advisory released today.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with identifying and reporting the flaw. The subsequent variations are impacted by CVE-2023-27992 –
- NAS326 (V5.21(AAZF.13)C0 and previously, patched in V5.21(AAZF.14)C0),
- NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
- NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The inform will come two weeks soon after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday included two flaws in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to its Recognised Exploited Vulnerabilities (KEV) catalog, centered on evidence of lively exploitation.
With Zyxel products turning into an attack magnet for risk actors, it really is very important that prospects implement the fixes as shortly as feasible to prevent prospective dangers.
Observed this write-up fascinating? Abide by us on Twitter and LinkedIn to study additional distinctive written content we post.
Some components of this report are sourced from:
thehackernews.com