Zyxel security advisory for pre-authentication command injection vulnerability in NAS products
Zyxel has released patches addressing a pre-authentication command injection vulnerability in some NAS versions. Users are advised to install them for optimal protection.
What is the vulnerability?
The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.
|V5.21(AAZF.13)C0 and earlier
|V5.21(AATB.10)C0 and earlier
|V5.21(ABAG.10)C0 and earlier
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Thanks to Andrej Zaujec, NCSC-FI, and Maxim Suslov for reporting the issue to us.
2023-6-20: Initial release.