Zyxel reports multiple critical vulnerabilities in their NAS devices

published: Nov. 30, 2023

Take action: If you are using ZyXel NAS devices, make sure it's not accessible from the internet, then patch immediately. Delaying this will only help hackers.


Learn More

Zyxel, a well-known manufacturer of network-attached storage (NAS) devices, is alerting users to a series of critical security vulnerabilities affecting its products NAS326 and NAS542.

ZyXel NAS devices, are primarily utilized by small to medium-sized businesses, IT professionals, and digital content creators,  and serve as centralized storage hubs on a network and are sometimes used for remote collaboration. For videographers, digital artists, businesses and IT professionals, these systems are integral to their operations.

The exploitation of these vulnerabilities could lead to various adverse outcomes, such as unauthorized access, leakage of sensitive system information, or complete control over the compromised NAS devices.

  1. CVE-2023-35137 (CVSS3 score 7.5): A high-severity vulnerability in the authentication module of Zyxel NAS devices. It allows unauthenticated attackers to obtain system information through a specially crafted URL.
  2. CVE-2023-35138 (CVSS3 score 9.8): This is a critical command injection flaw found in the "show_zysync_server_contents" function of Zyxel NAS devices. It allows unauthenticated attackers to execute operating system commands via a crafted HTTP POST request.
  3. CVE-2023-37927 (CVSS3 score 8.8): A high-severity vulnerability in the CGI program of Zyxel NAS devices. It enables authenticated attackers to execute operating system commands using a crafted URL.
  4. CVE-2023-37928 (CVSS3 score 8.8): Another high-severity post-authentication command injection vulnerability found in the WSGI server of the Zyxel NAS devices. It permits authenticated attackers to execute operating system commands through a crafted URL.
  5. CVE-2023-4473 (CVSS3 score 9.8): This critical command injection flaw is located in the web server of Zyxel NAS devices, allowing unauthenticated attackers to execute operating system commands via a crafted URL.
  6. CVE-2023-4474 (CVSS3 score 9.8): Found in the WSGI server of Zyxel NAS devices, this critical vulnerability allows unauthenticated attackers to execute operating system commands with a crafted URL.

Zyxel has recommended firmware updates as the primary solution to these vulnerabilities. Users of the NAS326 model are advised to upgrade to version V5.21(AAZF.15)C0 or later, while those using NAS542 should update their firmware to V5.21(ABAG.12)C0 or later.

Zyxel had not provided any alternative mitigation strategies or temporary workarounds.

Zyxel reports multiple critical vulnerabilities in their NAS devices