Zyxel issues second round of patches for the same critical vulnerability in NAS devices
Take action: Yes, patch fatigue is a real thing. Especially when a vendor issues a second fix for the same thing in 15 days. On the other hand, it's your data and your NAS that's exposed. So rant a little, be very angry at ZyXel and patch your NAS.
Learn More
Zyxel has recently relased a second round of paches to a critical vulnerability (CVE-2023-27992) in consumer network attached storage (NAS) devices. The original patch release was from 5th June 2023, but apparently hasn't fixed everything.
The affected Zyxel NAS devices include:
- NAS326 – firmware versions earlier than V5.21(AAZF.14)C0
- NAS540 – firmware versions earlier than V5.21(AATB.11)C0
- NAS542 – firmware versions earlier than V5.21(ABAG.11)C0
Update
Although initially there was no evidence to suggest that CVE-2023-27992 is actively being exploited, on 265th of June The US Cybersecurity and Infrastructure Security Agency (CISA) warns that the recently patched critical vulnerability has been exploited in attacks.
Given that Zyxel has not provided any workarounds or mitigations, it is strongly recommended that owners or administrators of these NAS device models swiftly upgrade to the latest firmware version available. By doing so, they can ensure the security of their systems and protect against potential exploits related to this vulnerability.
