Zyxel has rolled out security updates to handle a critical security flaw in its network-connected storage (NAS) gadgets that could final result in the execution of arbitrary commands on impacted devices.
Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been explained as a pre-authentication command injection vulnerability.
“The pre-authentication command injection vulnerability in some Zyxel NAS units could let an unauthenticated attacker to execute some operating system (OS) instructions remotely by sending a crafted HTTP ask for,” Zyxel claimed in an advisory released today.
![AOMEI Backupper Lifetime](https://thecybersecurity.news/data/2021/12/AOMEI-Backupper-Professional.png)
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with identifying and reporting the flaw. The subsequent variations are impacted by CVE-2023-27992 –
- NAS326 (V5.21(AAZF.13)C0 and previously, patched in V5.21(AAZF.14)C0),
- NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and
- NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The inform will come two weeks soon after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday included two flaws in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to its Recognised Exploited Vulnerabilities (KEV) catalog, centered on evidence of lively exploitation.
With Zyxel products turning into an attack magnet for risk actors, it really is very important that prospects implement the fixes as shortly as feasible to prevent prospective dangers.
Observed this write-up fascinating? Abide by us on Twitter and LinkedIn to study additional distinctive written content we post.
Some components of this report are sourced from:
thehackernews.com