** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
An attacker sends a specially crafted HTTP POST request to the 'remote_help-cgi' CGI program available on the NAS device's network interface. The vulnerable program does not properly validate input data provided by the user, allowing arbitrary operating system commands to be injected (command injection, CWE-78). The attack requires no authentication or user interaction, and devices are often directly accessible from the internet as NAS-class solutions.
An attacker can execute arbitrary operating system commands on the vulnerable device, which in practice means complete takeover of control — ability to read, modify or delete data and further movement in the network (lateral movement).
Update Zyxel NAS326 firmware to version V5.21(AAZF.17)C0 or later and Zyxel NAS542 to version V5.21(ABAG.14)C0 or later according to manufacturer recommendations. Due to the fact that the products are officially marked as unsupported, migration to actively supported devices should be considered. Until the patch is applied, restrict access to the device management interface to trusted networks only and block internet access using a firewall.
Zyxel NAS326 with firmware versions earlier than V5.21(AAZF.17)C0 and Zyxel NAS542 with firmware versions earlier than V5.21(ABAG.14)C0. It should be noted that at the time of CVE assignment, these products were marked as unsupported (UNSUPPORTED WHEN ASSIGNED).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZyxel Nas326
HWZyxelwszystkie wersjeZyxel Nas326 Firmware
OSZyxel< 5.21\(aazf.17\)c0Zyxel Nas542
HWZyxelwszystkie wersjeZyxel Nas542 Firmware
OSZyxel< 5.21\(abag.14\)c0
Related vulnerabilities
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AA...
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...
Command injection w Zyxel NAS326/NAS542 — zdalne wykonanie poleceń OS
RCE w Zyxel NAS326/NAS542 — nieuwierzytelnione wykonanie kodu przez upload pliku
Command injection w parametrze setCookie urządzeń Zyxel NAS326/NAS542