Zyxel has released patches addressing a security flaw tracked as CVE-2023-27992 pre-authentication command injection vulnerability in some NAS versions.
The vulnerability with a CVSS score of 9.8 ,described as a pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
As per the Zyxel statement – After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.
|Affected model||Affected version||Patch availability|
|NAS326||V5.21(AAZF.13)C0 and earlier||V5.21(AAZF.14)C0|
|NAS540||V5.21(AATB.10)C0 and earlier||V5.21(AATB.11)C0|
|NAS542||V5.21(ABAG.10)C0 and earlier||V5.21(ABAG.11)C0|
There is currently no indication that CVE-2023-27992 is being actively exploited. Since Zyxel does not mention workarounds or mitigations, administrators and owners of the aforementioned NAS device models are advised to quickly upgrade to the latest firmware version.