Zyxel has rolled out security updates to tackle a critical security flaw in its network-connected storage (NAS) units that could final result in the execution of arbitrary commands on afflicted devices.
Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been explained as a pre-authentication command injection vulnerability.
“The pre-authentication command injection vulnerability in some Zyxel NAS products could permit an unauthenticated attacker to execute some working procedure (OS) instructions remotely by sending a crafted HTTP ask for,” Zyxel stated in an advisory posted these days.
Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with getting and reporting the flaw. The pursuing variations are impacted by CVE-2023-27992 –
- NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0),
- NAS540 (V5.21(AATB.10)C0 and before, patched in V5.21(AATB.11)C0), and
- NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0)
The notify arrives two weeks soon after the U.S. Cybersecurity and Infrastructure Security Company (CISA) on Monday additional two flaws in Zyxel firewalls (CVE-2023-33009 and CVE-2023-33010) to its Known Exploited Vulnerabilities (KEV) catalog, centered on evidence of lively exploitation.
With Zyxel gadgets getting to be an attack magnet for danger actors, it truly is crucial that shoppers utilize the fixes as before long as achievable to stop potential dangers.
Found this post interesting? Adhere to us on Twitter and LinkedIn to browse additional exceptional content material we post.
Some parts of this article are sourced from:
thehackernews.com