PT-2023-7333 · Zyxel · Zyxel Nas542+1

Gábor Selján

Published

2023-11-30

Updated

2024-04-30

CVE-2023-4474

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0

Description The issue arises from the improper neutralization of special elements in the WSGI server, allowing an unauthenticated attacker to execute some operating system commands by sending a crafted URL to a vulnerable device. This could enable a remote attacker to execute arbitrary OS commands.

Recommendations For Zyxel NAS326 version V5.21(AAZF.14)C0, consider disabling the WSGI server until a patch is available. For Zyxel NAS542 version V5.21(ABAG.11)C0, consider disabling the WSGI server until a patch is available. As a temporary workaround, avoid using the vulnerable WSGI server functionality until the issue is resolved.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2023-08363

CVE-2023-4474

Affected Products

Zyxel Nas326

Zyxel Nas542

PT-2023-7333 · Zyxel · Zyxel Nas542+1

CVE-2023-4474

Weakness Enumeration

Related Identifiers

Affected Products

References · 15