Andrej Zaujec

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.14)C0 Zyxel NAS540 versions prior to V5.21(AATB.11)C0 Zyxel NAS542 versions prior to V5.21(ABAG.11)C0 **Description** The pre-authentication command injection issue in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. This could enable an attacker to run arbitrary commands on affected systems. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.14)C0, update to version V5.21(AAZF.14)C0 or later. For Zyxel NAS540 versions prior to V5.21(AATB.11)C0, update to version V5.21(AATB.11)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.11)C0, update to version V5.21(ABAG.11)C0 or later. As a temporary workaround, consider restricting access to the affected devices until a patch is applied.