Command Injection Vulnerability in Zyxel NAS Devices
CVE-2023-37927

8.8HIGH

Key Information:

Vendor: Zyxel
Status: Nas326 Firmware; Nas542 Firmware
Vendor: CVE Published:; 30 November 2023

Summary

The Zyxel NAS326 and NAS542 devices are vulnerable due to improper handling of special elements in their CGI program. This flaw permits authenticated attackers to execute arbitrary operating system commands by crafting specially designed URLs. If exploited, this weakness could compromise the integrity of the affected systems, enabling unauthorized access and potential further attacks on the network. Users of these devices are urged to update their firmware to mitigate risks.

Affected Version(s)

NAS326 firmware V5.21(AAZF.14)C0

NAS542 firmware V5.21(ABAG.11)C0

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Jul 11, 2023