Zyxel security advisory for post-authentication command injection vulnerability in NAS products
Zyxel has released patches addressing a post-authentication command injection vulnerability in some NAS versions. Users are advised to install them for optimal protection.
What is the vulnerability?
The post-authentication command injection vulnerability in some Zyxel NAS devices could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the products affected* at the time of the issue report and provided the firmware patches outlined in the table below.
|V5.21(AAZF.15)C0 and earlier
|V5.21(ABAG.12)C0 and earlier
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Thanks to Gábor Selján from BugProve for reporting the issue to us.
2024-1-30: Initial release.