PT-2023-8183 · Zyxel · Zyxel Nas542+1

Gábor Selján

Published

2023-07-01

Updated

2023-12-06

CVE-2023-37927

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 firmware version V5.21(AAZF.14)C0 Zyxel NAS542 firmware version V5.21(ABAG.11)C0

Description The issue is related to the improper neutralization of special elements in the CGI program of the Zyxel NAS326 and NAS542 firmware. This could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

Recommendations For Zyxel NAS326 firmware version V5.21(AAZF.14)C0, update the firmware to a version that fixes the issue. For Zyxel NAS542 firmware version V5.21(ABAG.11)C0, update the firmware to a version that fixes the issue. As a temporary workaround, consider restricting access to the CGI program to minimize the risk of exploitation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2024-00170

BDU:2024-00171

CVE-2023-37927

Affected Products

Zyxel Nas326

Zyxel Nas542

PT-2023-8183 · Zyxel · Zyxel Nas542+1

CVE-2023-37927

Weakness Enumeration

Related Identifiers

Affected Products

References · 11