CVE-2023-5372

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 versions through V5.21(AAZF.15)C0 Zyxel NAS542 versions through V5.21(ABAG.12)C0

Description The issue is related to a post-authentication command injection vulnerability. It could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface. This is due to the lack of measures to neutralize special elements used in the operating system command.

Recommendations For Zyxel NAS326 versions through V5.21(AAZF.15)C0, consider disabling access to the web management interface until a patch is available. For Zyxel NAS542 versions through V5.21(ABAG.12)C0, restrict access to the web management interface to minimize the risk of exploitation. As a temporary workaround, avoid using the vulnerable query parameter in the affected URL until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.