CVE-2023-37928

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 version V5.21(AAZF.14)C0 Zyxel NAS542 version V5.21(ABAG.11)C0

Description A post-authentication command injection issue in the WSGI server of the Zyxel NAS326 and NAS542 firmware could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. The vulnerability is related to the failure to neutralize special elements used in OS commands, which can be exploited by sending a specially crafted URL to the device.

Recommendations For Zyxel NAS326 version V5.21(AAZF.14)C0, consider disabling the WSGI server until a patch is available. For Zyxel NAS542 version V5.21(ABAG.11)C0, consider disabling the WSGI server until a patch is available. As a temporary workaround, avoid using the vulnerable WSGI server functionality until the issue is resolved.