Alex Holden

**Name of the Vulnerable Software and Affected Versions** ZyXEL NAS326 versions prior to V5.21(AAZF.7)C0 ZyXEL NAS520 versions prior to V5.21(AASZ.3)C0 ZyXEL NAS540 versions prior to V5.21(AATB.4)C0 ZyXEL NAS542 versions prior to V5.21(ABAG.4)C0 ZyXEL NSA210 (affected versions not specified) ZyXEL NSA220 (affected versions not specified) ZyXEL NSA220+ (affected versions not specified) ZyXEL NSA221 (affected versions not specified) ZyXEL NSA310 (affected versions not specified) ZyXEL NSA310S (affected versions not specified) ZyXEL NSA320 (affected versions not specified) ZyXEL NSA320S (affected versions not specified) ZyXEL NSA325 (affected versions not specified) ZyXEL NSA325v2 (affected versions not specified) **Description** The vulnerability is related to a pre-authentication command injection issue in the weblogin.cgi CGI executable, which fails to properly sanitize the `username` parameter. This allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device with root privileges. The issue can be exploited by sending a specially-crafted HTTP POST or GET request to a vulnerable device. It is estimated that over 100,000 devices may be affected. The vulnerability has been exploited in real-world incidents, with a working exploit available for sale on hacker forums. A new variant of Mirai IoT botnet malware, called Mukashi, has been found targeting Zyxel NAS devices using this vulnerability. **Recommendations** For NAS326, update to firmware V5.21(AAZF.7)C0 or later. For NAS520, update to firmware V5.21(AASZ.3)C0 or later. For NAS540, update to firmware V5.21(AATB.4)C0 or later. For NAS542, update to firmware V5.21(ABAG.4)C0 or later. For NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325, and NSA325v2, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the `weblogin.cgi` executable until a patch is available. Restrict access to the vulnerable `weblogin.cgi` CGI executable to minimize the risk of exploitation. Avoid using the `username` parameter in the affected API endpoint until the issue is resolved.