Zyxel security advisory for NAS remote access vulnerability
CVEs: CVE-2020-13364, CVE-2020-13365
Zyxel NAS products are affected by a remote access vulnerability. Users are advised to install the latest firmware patches immediately for optimal protection.
What is the vulnerability?
A remote access vulnerability was identified in a CGI script for the web application of NAS products. When a user logs in using the unprivileged “admin” user account, the vulnerability could allow the user to start a Telnet or SSH service and generate a password for the “NsaRescueAngel” user account with root privileges. As the vulnerable CGI is a legacy design, it has been removed in the latest firmware of the affected NAS products.
What products are vulnerable—and what should you do?
After a thorough investigation, we have confirmed that the NAS products listed in the below table are affected. We urge users to install the latest firmware immediately for the best protection.
|Device||Latest firmware version|
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact firstname.lastname@example.org and we’ll get right back to you.
Daniel Nussko, an independent researcher from Germany
2020-8-5: Initial release