Zyxel Command Injection Vulnerability Let Attackers Execute OS Commands

Zyxel has been one of the world’s leading networking products manufacturing companies and one of the top companies in the telecommunications industry. 

The company has customers worldwide, including the United States, the United Kingdom, France, and India.

Zyxel NAS (Network-Attached Storage) devices were recently discovered with a pre-authentication command injection vulnerability that can allow a remote attacker to execute operating system commands by sending malicious HTTP requests.

CVE-2023-27992: Pre-authentication Command Injection Vulnerability in Zyxel NAS Products

This vulnerability exists in some of the products inside the Zyxel NAS firmware that can allow an unauthenticated attacker to execute OS commands through crafted HTTP requests.

Two Security researchers named Andrej Zaujec from NCSC-FI and Maxim Suslov discovered this command injection vulnerability. The vulnerability receives a CVSS Score of 9.8 (Critical).

Affected Products

Affected model	Affected version	Patch availability
NAS326	V5.21(AAZF.13)C0 and earlier	V5.21(AAZF.14)C0
NAS540	V5.21(AATB.10)C0 and earlier	V5.21(AATB.11)C0
NAS542	V5.21(ABAG.10)C0 and earlier	V5.21(ABAG.11)C0

Users of Zyxel NAS products are advised to update to the latest software version to prevent attackers from exploiting this vulnerability. 

Zyxel, a subsidiary of Unizyx Holding corporation, has an overall revenue of 32 billion Taiwanese Dollars as of 2021 and has employees of more than 650+ worldwide. The company specializes in 5G/4G NR, DSL, modems, VoIP telephones, and other telecommunication products.

The company was established in 1989 and has made several breakthroughs by introducing World’s 1st ADSL2+ gateway (2004), palm-sized portable firewall (2005), Analog/Digital.

“AI-based email security measures Protect your business From Email Threats!” – .