Zyxel has released patches to address 15 security issues affecting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that can lead to bypass authentication and command injection.
the three weaknesses listed below –
- CVE-2023-35138 (CVSS score: 9.8) – A command injection vulnerability that could allow an untrusted attacker to execute certain operating system commands by sending a crafted HTTP POST request.
- CVE-2023-4473 (CVSS score: 9.8) – A command injection vulnerability in the web server that could allow an unauthenticated attacker to execute certain operating system commands by sending a crafted URL to a you are a vulnerable device.
- CVE-2023-4474 (CVSS score: 9.8) – An incorrect neutralization of the special element vulnerability that could allow an unauthenticated attacker to execute certain commands in the operating system by sending the a crafted URL to a vulnerable device.
Zyxel also fixes three serious bugs (CVE-2023-35137, CVE-2023-37927and CVE-2023-37928) which, if successfully exploited, may allow attackers to obtain system information and execute arbitrary commands. It should be noted that CVE-2023-37927 and CVE-2023-37928 require authentication.
The defects affect the following models and versions –
- NAS326 – versions V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
- NAS542 – versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory comes days after the Taiwanese networking vendor sent fixes for nine bugs in selected firewall and access point (AP) versions, some of them can be used to access system files and administrator logs, as well as cause a denial of service (DoS) condition.
With Zyxel devices being frequently exploited by threat actors, it is recommended that users use the latest updates to mitigate potential threats.