9.8
CVE-2023-27992
- EPSS 86.39%
- Veröffentlicht 19.06.2023 12:15:09
- Zuletzt bearbeitet 19.03.2025 20:58:46
- Quelle security@zyxel.com.tw
- Teams Watchlist Login
- Unerledigt Login
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zyxel ≫ Nas326 Firmware Version < 5.21\(aazf.14\)c0
Zyxel ≫ Nas540 Firmware Version < 5.21\(aatb.11\)c0
Zyxel ≫ Nas542 Firmware Version < 5.21\(abag.11\)c0
23.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Zyxel Multiple NAS Devices Command Injection Vulnerability
SchwachstelleMultiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 86.39% | 0.994 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@zyxel.com.tw | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.