Zyxel warns users against new important vulnerabilities in its NAS gadgets

Zyxel is a Taiwanese manufacturer higher known for cellular and broadband community merchandise and a few NAS devices for community-based garage access. Two of these NAS merchandise are stricken by six dangerous vulnerabilities, for which the employer already provided a security update.

Zyxel has these days launched a brand new safety advisory for a group of protection vulnerabilities located in the organisation's NAS devices. The six flaws might be abused to skip authentication protocols and inject malicious commands within the NAS OS, Zyxel has warned. Users are recommended to install the already to be had security patches for "most desirable protection" in their community garage setups.

The newly-located vulnerabilities, which consist of 3 vital flaws with very high severity ratings, are described inside the following CVE-tracked announcements: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474. The first flaw (CVE-2023-35137) has a severity rating of seven.Five and relates to an unsuitable authentication within the Zyxel NAS devices that would permit an unauthenticated attacker to achieve system statistics with a particularly crafted URL.

The second flaw (CVE-2023-35138) is a crucial vulnerability (nine.Eight severity score) in the "show zysync server contents" function, Zyxel explains, that could provide hackers with a way to execute "some" OS commands through sending a particular HTTP POST request. The 0.33 flaw (CVE-2023-37927) is a excessive-severity worm (eight.Eight) with flawed neutralization of special elements in the CGI program, which could permit attackers to execute OS instructions by sending a crafted URL.

The fourth flaw (CVE-2023-37928) is a post-authentication command injection vulnerability (8.8) within the WSGI server, that can over again open an OS command execution opportunity thru a malicious URL. The 5th flaw (CVE-2023-4473) is a vital computer virus (nine.Eight) in Zyxel NAS' internet server that could be exploited the equal manner. Finally, the sixth flaw (CVE-2023-4474) is but some other critical trouble (9.8) arising from the incorrect neutralization of unique factors in the WSGI server.

Zyxel stated the work achieved by 3 researchers (Maxim Suslov, Gábor Selján, Drew Balfour) in discovering the safety flaws. The business enterprise performed a "thorough investigation" to identify the supported gadgets tormented by the issues, which encompass the NAS326 and NAS542 community garage models.

The Taiwanese producer failed to provide any possible mitigation measures or workaround to shield the devices in opposition to the new flaws. To keep their information safe from cyber-criminals, customers want to put in the subsequent firmware updates: V5.21(AAZF.15)C0 for NAS326, V5.21(ABAG.12)C0 for NAS542.