December 1, 2023 at 01:54AM
Zyxel released patches for 15 security issues affecting NAS, firewall, and AP devices. This includes three critical vulnerabilities that could allow unauthenticated command execution. High-severity flaws enabling system information access and arbitrary command execution were also patched. Users are urged to update their devices to prevent exploitation.
Meeting Takeaways:
1. Zyxel has released patches for 15 security issues affecting their NAS, firewall, and AP devices.
2. Out of the vulnerabilities addressed, three are critical with CVSS scores of 9.8, potentially allowing unauthenticated command injection and authentication bypass:
– CVE-2023-35138: Command injection via crafted HTTP POST request.
– CVE-2023-4473: Command injection in web server via crafted URL.
– CVE-2023-4474: Execution of OS commands via crafted URL due to improper neutralization of special elements.
3. Three high-severity flaws were also patched (CVE-2023-35137, CVE-2023-37927, CVE-2023-37928) that could enable system information access and arbitrary command execution. Notably, CVE-2023-37927 and CVE-2023-37928 require authentication.
4. Impacted models and their respective versions include:
– NAS326: Versions up to V5.21(AAZF.14)C0 (Patched in V5.21(AAZF.15)C0).
– NAS542: Versions up to V5.21(ABAG.11)C0 (Patched in V5.21(ABAG.12)C0).
5. This advisory follows a recent patch for nine flaws in select firewall and AP versions that could lead to system file access, admin log access, and DoS attacks.
6. Given the history of exploitation of Zyxel devices, it is strongly recommended for users to update to the latest versions to mitigate any potential threats.
7. The article encourages following the publisher on Twitter and LinkedIn for more exclusive content.