CVE-2023-35138

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0

Description A command injection issue exists in the show zysync server contents function, allowing an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request. This is due to the lack of neutralization of special elements used in the operating system command. The exploitation of this issue may allow a remote attacker to execute arbitrary code.

Recommendations For Zyxel NAS326 version V5.21(AAZF.14)C0, consider disabling the show zysync server contents function until a patch is available. For Zyxel NAS542 version V5.21(ABAG.11)C0, consider disabling the show zysync server contents function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.