Zyxel releases patches to fix 15 bugs in NAS, Firewall, and AP devices

December 01, 2023NewsroomFirewall / Network Security

Zyxel

Zyxel has released patches to address 15 security issues affecting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that can lead to bypass authentication and command injection.

the three weaknesses listed below –

  • CVE-2023-35138 (CVSS score: 9.8) – A command injection vulnerability that could allow an untrusted attacker to execute certain operating system commands by sending a crafted HTTP POST request.
  • CVE-2023-4473 (CVSS score: 9.8) – A command injection vulnerability in the web server that could allow an unauthenticated attacker to execute certain operating system commands by sending a crafted URL to a you are a vulnerable device.
  • CVE-2023-4474 (CVSS score: 9.8) – An incorrect neutralization of the special element vulnerability that could allow an unauthenticated attacker to execute certain commands in the operating system by sending the a crafted URL to a vulnerable device.

Zyxel also fixes three serious bugs (CVE-2023-35137, CVE-2023-37927and CVE-2023-37928) which, if successfully exploited, may allow attackers to obtain system information and execute arbitrary commands. It should be noted that CVE-2023-37927 and CVE-2023-37928 require authentication.

Cybersecurity

The defects affect the following models and versions –

  • NAS326 – versions V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
  • NAS542 – versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)

The advisory comes days after the Taiwanese networking vendor sent fixes for nine bugs in selected firewall and access point (AP) versions, some of them can be used to access system files and administrator logs, as well as cause a denial of service (DoS) condition.

With Zyxel devices being frequently exploited by threat actors, it is recommended that users use the latest updates to mitigate potential threats.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment