CVE-2022-34747

Warning

EPSS 2.78%
Published 06.09.2022 02:15:07
Last modified 21.11.2024 07:10:06
Source security@zyxel.com.tw
Teams watchlist Login
Open Login

A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet.

Affected products Warnungen 1 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Zyxel ≫ Nas326 Firmware Version < 5.21\(aazf.12\)c0

Zyxel ≫ Nas326 Version-

07.09.2022: CERT.at Warnung

https://www.cert.at/de/warnungen/2022/9/remote-code-execution-schwachstelle-in-zyxel-nas-updates-verfugbar

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.78%	0.855

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@zyxel.com.tw	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-134 Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

https://www.zyxel.com/support/Zyxel-security-advisory-for-format-string-vulnerability-in-NAS.shtml

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-34747

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-34747

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-34747

EUVD