October 2, 2023

Zyxel has released patches addressing a security flaw tracked as  CVE-2023-27992 pre-authentication command injection vulnerability in some NAS versions.

The vulnerability with a CVSS score of 9.8 ,described as a pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.


As per the Zyxel statement – After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.

Affected modelAffected versionPatch availability
NAS326V5.21(AAZF.13)C0 and earlierV5.21(AAZF.14)C0
NAS540V5.21(AATB.10)C0 and earlierV5.21(AATB.11)C0
NAS542V5.21(ABAG.10)C0 and earlierV5.21(ABAG.11)C0

There is currently no indication that CVE-2023-27992 is being actively exploited. Since Zyxel does not mention workarounds or mitigations, administrators and owners of the aforementioned NAS device models are advised to quickly upgrade to the latest firmware version.

Leave a Reply

%d bloggers like this: