Drew Balfour

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0 **Description** A command injection issue exists in the web server of the Zyxel NAS326 and NAS542 firmware due to the lack of neutralization of special elements used in operating system commands. This could allow a remote attacker to execute arbitrary operating system commands by sending a specially crafted URL to a vulnerable device. **Recommendations** For Zyxel NAS326 version V5.21(AAZF.14)C0, update the firmware to a version that includes a fix for this issue. For Zyxel NAS542 version V5.21(ABAG.11)C0, update the firmware to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the web server to minimize the risk of exploitation.