Why it matters: Zyxel is mostly known for its broadband and networking offerings, but the Taiwanese company also sells NAS devices for users in need of a proper network-aware storage setup. A vulnerable NAS unit is no joke, though, and Zyxel is now warning customers about a particularly nasty security issue affecting its storage products.
Zyxel has just released a new security advisory addressing CVE-2023-27992, a dangerous vulnerability found by security researchers in “some” of the NAS devices sold by the Asian company. The flaw, which has a 9.8 “Critical” severity level, is described as a pre-authentication command injection vulnerability that could bring chaos and mayhem (or mostly data violation issues) to users’ networking setup.
Zyxel says that the CVE-2023-27992 vulnerability could allow an unauthenticated attacker to execute “some” commands at the operating system level by remotely sending a specially crafted malicious HTTP request. The absence of an authentication requirement makes the vulnerability particularly troublesome.
The company doesn’t provide any mitigations measures, which is often the case. Now, Zyxel is just releasing a warning about the already available patches and the need to install them as soon as possible for “optimal protection” against any potential threat coming from the internet. The flaws were discovered by Andrej Zaujec, of NCSC-FI, and Maxim Suslov.
What Zyxel promptly provides is a list of supported devices and firmware versions affected by the CVE-2023-27992 vulnerability, which after an internal, “thorough” investigation includes the following network storage products:
- NAS326, firmware V5.21(AAZF.13)C0 and earlier, fixed in V5.21(AAZF.14)C0
- NAS540, firmware V5.21(AATB.10)C0 and earlier, fixed in V5.21(AATB.11)C0
- NAS542, firmware V5.21(ABAG.10)C0 and earlier, fixed in V5.21(ABAG.11)C0
Customers should install the latest firmware versions available for the aforementioned NAS models, as cyber-criminals and state-sponsored threat actors are usually quick at adapting their attack strategies to new flaws and exploits tested against networking products.
Together with other manufacturing companies of networking gear such as QNAP and Synology, Zyxel is indeed often targeted in malicious campaigns and sneaky ransomware operations conceived to compromise organizations and encrypt users’ data. Just this past month, Zyxel’s firewalls and VPN devices had to endure a new wave of massive remote attacks targeting some recently discovered flaws (CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010).