Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products, which could allow a threat actor to execute system commands on successful exploitation of these vulnerabilities.
Zyxel NAS (Network Attached Storage) devices provide fast, secure, and reliable storage services for data storage and file-sharing requests. Zyxel offers Zyxel Drive, allowing users to access Zyxel NAS devices over the internet even if they are not connected to the same network.
Users can retrieve, upload, and manage the files that are stored in the NAS devices. Zyxel has released a security advisory for these vulnerabilities and has patched the affected NAS products.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Command Injection Vulnerabilities
CVE-2023-35138: Command Injection
This vulnerability exists in the “show_zysync_server_contents” function of Zyxel NAS devices that could allow an unauthenticated threat actor to execute operating system commands.
An attacker can exploit this vulnerability by sending a crafted HTTP POST request. The severity for this vulnerability has been given as 9.8 (Critical).
CVE-2023-37928: Post Command Injection
This was a post-authentication command injection vulnerability that exists in the WSGI server in NAS devices. An unauthenticated threat actor can execute Operating system commands on the affected devices by sending a crafted URL.
The severity for this vulnerability has been given as 8.8 (High).
CVE-2023-4473: Command Injection in web server
This vulnerability exists in the web server of Zyxel NAS devices, which could allow an unauthenticated threat actor to execute Operating system commands. Successful exploitation of this vulnerability requires a threat actor to send a crafted URL to the vulnerable devices.
The severity rating for this vulnerability has been given as 9.8 (Critical).
Affected Products & Fixed in Versions
| Affected model | Affected version | Patch availability |
| NAS326 | V5.21(AAZF.14)C0 and earlier | V5.21(AAZF.15)C0 |
| NAS542 | V5.21(ABAG.11)C0 and earlier | V5.21(ABAG.12)C0 |
Zyxel also credited the consultancies and security researchers who have responsibly reported these vulnerabilities to them. Credits were given to
- Maxim Suslov for CVE-2023-35138
- Attila Szász from BugProve for CVE-2023-37928, CVE-2023-4473
- Drew Balfour from IBM X-Force for CVE-2023-4473
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.