9.8
CVE-2023-27992
- EPSS 86.39%
- Published 19.06.2023 12:15:09
- Last modified 19.03.2025 20:58:46
- Source security@zyxel.com.tw
- Teams watchlist Login
- Open Login
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
Data is provided by the National Vulnerability Database (NVD)
Zyxel ≫ Nas326 Firmware Version < 5.21\(aazf.14\)c0
Zyxel ≫ Nas540 Firmware Version < 5.21\(aatb.11\)c0
Zyxel ≫ Nas542 Firmware Version < 5.21\(abag.11\)c0
23.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Zyxel Multiple NAS Devices Command Injection Vulnerability
VulnerabilityMultiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
DescriptionApply updates per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 86.39% | 0.994 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| security@zyxel.com.tw | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.