The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZyxel Nas326
HWZyxelwszystkie wersjeZyxel Nas326 Firmware
OSZyxel< 5.21\(aazf.14\)c0Zyxel Nas540
HWZyxelwszystkie wersjeZyxel Nas540 Firmware
OSZyxel< 5.21\(aatb.11\)c0Zyxel Nas542
HWZyxelwszystkie wersjeZyxel Nas542 Firmware
OSZyxel< 5.21\(abag.11\)c0
CISA KEV — detailsi
- Vendori
- Zyxel
- Producti
- Multiple Network-Attached Storage (NAS) Devices
- Added to KEVi
- June 23, 2023
- Remediation deadline (US Federal)i
- July 14, 2023(overdue)
Apply updates per vendor instructions.
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
Related vulnerabilities
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...
Command injection w Zyxel NAS326/NAS542 — zdalne wykonanie poleceń OS
RCE w Zyxel NAS326/NAS542 — nieuwierzytelnione wykonanie kodu przez upload pliku
Command injection w Zyxel NAS326/NAS542 — nieuwierzytelnione RCE
Command injection w parametrze setCookie urządzeń Zyxel NAS326/NAS542