Zyxel has recently released security updates to tackle a critical security flaw, identified as CVE-2023-27992 (CVSS score: 9.8), which affects its network-attached storage (NAS) devices. This vulnerability is a pre-authentication command injection issue affecting the firmware versions of Zyxel NAS326, NAS540, and NAS542 prior to V5.21(AAZF.14)C0, V5.21(AATB.11)C0, and V5.21(ABAG.11)C0, respectively. The flaw allows a remote, unauthenticated attacker to execute certain operating system (OS) commands by sending a specially crafted HTTP request.
According to Zyxel's advisory, “The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.” The vulnerability was brought to light by Andrej Zaujec, NCSC-FI, and Maxim Suslov.
In early June, Zyxel provided guidance on how to safeguard firewall and VPN devices from ongoing attacks that exploited CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 vulnerabilities. Threat actors have been actively trying to exploit the command injection vulnerability CVE-2023-28771, which affects Zyxel firewalls, with the aim of deploying and installing malware on the compromised systems. The US CISA added this vulnerability to its Known Exploited Vulnerability Catalog due to evidence of active exploitation.
In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices and urged customers to install the provided patches to mitigate the risk. This vulnerability was being actively exploited to enlist vulnerable devices in a Mirai-like botnet. The other two vulnerabilities, CVE-2023-33009 and CVE-2023-33010, are critical buffer overflow vulnerabilities that can be triggered by a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices. Zyxel has stated that devices under attack become unresponsive and their Web GUI or SSH management interface becomes unreachable.