Zyxel has launched patches to address 15 security issues impacting network-connected storage (NAS), firewall, and access point (AP) equipment, like three critical flaws that could guide to authentication bypass and command injection.
The a few vulnerabilities are detailed beneath –
- CVE-2023-35138 (CVSS rating: 9.8) – A command injection vulnerability that could allow an unauthenticated attacker to execute some operating method instructions by sending a crafted HTTP Publish ask for.
- CVE-2023-4473 (CVSS rating: 9.8) – A command injection vulnerability in the web server that could make it possible for an unauthenticated attacker to execute some operating process commands by sending a crafted URL to a susceptible machine.
- CVE-2023-4474 (CVSS rating: 9.8) – An incorrect neutralization of specific components vulnerability that could make it possible for an unauthenticated attacker to execute some operating process commands by sending a crafted URL to a susceptible product.
Also patched by Zyxel are a few significant-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928) that, if successfully exploited, could let attackers to acquire system details and execute arbitrary commands. It truly is worth noting that both equally CVE-2023-37927 and CVE-2023-37928 involve authentication.
The flaws impact the adhering to models and versions –
- NAS326 – variations V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
- NAS542 – versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory comes days after the Taiwanese networking vendor transported fixes for 9 flaws in pick firewall and obtain stage (AP) versions, some of which could be weaponized to access method documents and administrator logs, as well as cause a denial-of-support (DoS) affliction.
With Zyxel units normally exploited by risk actors, it’s hugely encouraged that buyers apply the most up-to-date updates to mitigate potential threats.
Observed this write-up appealing? Abide by us on Twitter and LinkedIn to read through a lot more special content material we submit.
Some parts of this article are sourced from:
thehackernews.com