Zyxel security advisory for SOHOpelessly Broken 2.0

CVE: CVE-2018-14892, CVE-2018-14893


A recent study dubbed SOHOpelessly Broken 2.0 tested 13 SOHO routers and NAS devices and identified security vulnerabilities, including 125 common vulnerabilities and exposures (CVE). There were two vulnerabilities found on Zyxel NSA325 v2 media server. After investigation, even if the two vulnerabilities could result in cross-site request forgery (CSRF) or command injection, attackers would be unable to launch these attacks without successfully logging in to the device.

What is the vulnerability?

The NSA325 v2 device lacks request origin verification functionality for browser authentication, potentially resulting in cross-site request forgery. In addition, the device’s proprietary command-line interface language is vulnerable to command injection via application program interface (API), which could allow low-privilege users to execute system commands as root.

What should you do?

As NSA325 v2 is a legacy model that has been retired from the market, firmware updates are no longer supported. However, because attackers must log in to the device in order to launch such attacks, we recommend that users exercise good general security practices by following the guidance below:

  • Do not log in to the device from a public computer, the cookies on which are more vulnerable to exposure and may be used by an attacker to forge requests.
  • Change the default password when logging in to a new device for the first time.
  • Use strong, unique passwords for every device and change them regularly.
  • Don't enable remote access unless it's absolutely necessary.


Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it. Contact security@zyxel.com.tw and we’ll get right back to you.


Thanks to Rick Ramgattie from Independent Security Evaluators for reporting this vulnerability to us.

Revision history

Initial release 2019-9-23