Timothy Hjort

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0 **Description** The issue exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary code by sending a specially crafted HTTP POST request to the `remote help-cgi` CGI program. This allows an unauthenticated attacker to execute some operating system (OS) commands. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update to V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update to V5.21(ABAG.14)C0 or later. As a temporary workaround, consider restricting access to the `remote help-cgi` CGI program until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0 **Description** The command injection vulnerability in the `setCookie` parameter could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request to the `/cmd,/simZysh/register main/setCookie` endpoint. It is estimated that 1,194 exposed NAS326 and NAS542 devices, primarily in Europe, are potentially affected. Botnets have been observed exploiting this issue. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update the firmware to V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update the firmware to V5.21(ABAG.14)C0 or later. As a temporary workaround, consider restricting access to the `setCookie` parameter in the `/cmd,/simZysh/register main/setCookie` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0 **Description** The issue is related to improper privilege management in the SUID executable binary. This could allow an authenticated local attacker with administrator privileges to execute system commands as the "root" user on a vulnerable device. The vulnerability is associated with deficiencies in access control, which may enable an attacker to elevate their privileges and execute arbitrary commands using the `executor su` binary file. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update to version V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update to version V5.21(ABAG.14)C0 or later. As a temporary workaround, consider restricting access to the `executor su` binary file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0 **Description** The issue concerns improper privilege management in the command `show allsessions` in Zyxel NAS326 and NAS542 firmware. This could allow an authenticated attacker to obtain a logged-in administrator's session information containing cookies on an affected device by sending a specially crafted GET request to the `/cmd,/ck6fup6/system main/show allsessions` endpoint. The `show allsessions` command is vulnerable, potentially allowing attackers to elevate their privileges and gain unauthorized access to protected information. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update the firmware to V5.21 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update the firmware to V5.21 or later. As a temporary workaround, consider restricting access to the `show allsessions` command until a patch is available. Avoid using the vulnerable endpoint `/cmd,/ck6fup6/system main/show allsessions` in the affected firmware versions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0 **Description** The issue is related to a remote code execution vulnerability in the CGI program `file upload-cgi` in Zyxel NAS326 and NAS542 firmware. This vulnerability could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. The vulnerability is associated with unlimited upload of dangerous file types, which can be exploited by a remote attacker to bypass security restrictions and execute arbitrary code. **Recommendations** For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update to version V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update to version V5.21(ABAG.14)C0 or later. As a temporary workaround, consider disabling the `file upload-cgi` function until a patch is available. Restrict access to the vulnerable `file upload-cgi` module to minimize the risk of exploitation. Avoid using the vulnerable CGI program until the issue is resolved.