Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products, which could allow a threat actor to execute system commands on successful exploitation of these vulnerabilities.
Zyxel NAS (Network Attached Storage) devices provide fast, secure, and reliable storage services for data storage and file-sharing requests. Zyxel offers Zyxel Drive, allowing users to access Zyxel NAS devices over the internet even if they are not connected to the same network.
Users can retrieve, upload, and manage the files that are stored in the NAS devices. Zyxel has released a security advisory for these vulnerabilities and has patched the affected NAS products.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
This vulnerability exists in the “show_zysync_server_contents” function of Zyxel NAS devices that could allow an unauthenticated threat actor to execute operating system commands.
An attacker can exploit this vulnerability by sending a crafted HTTP POST request. The severity for this vulnerability has been given as 9.8 (Critical).
This was a post-authentication command injection vulnerability that exists in the WSGI server in NAS devices. An unauthenticated threat actor can execute Operating system commands on the affected devices by sending a crafted URL.
The severity for this vulnerability has been given as 8.8 (High).
This vulnerability exists in the web server of Zyxel NAS devices, which could allow an unauthenticated threat actor to execute Operating system commands. Successful exploitation of this vulnerability requires a threat actor to send a crafted URL to the vulnerable devices.
The severity rating for this vulnerability has been given as 9.8 (Critical).
|V5.21(AAZF.14)C0 and earlier
|V5.21(ABAG.11)C0 and earlier
Zyxel also credited the consultancies and security researchers who have responsibly reported these vulnerabilities to them. Credits were given to
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as malware-as-a-service that was capable of collecting…
In a significant move against cybercrime, the U.S. government has announced a bounty of up to $15 million for information…
Threat actors abuse Google Drive for several malicious activities due to its widespread use, easy file sharing, and collaboration features.…
In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account was hacked, leading to fraudulent orders…
A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged. This information stealer has been active…
Google has recently unveiled Chrome 122, a significant milestone for the widely used web browser. The most recent release, compatible…