ZYXEL warns of critical vulnerabilities in branded NAS devices

ZYXEL has discovered several serious vulnerabilities in its network drive (NAS) devices, including three critical ones, which can allow unauthorized attackers to perform arbitrary commands on vulnerable devices.

ZYXEL NAS systems are used for centralized storage of data on the network and are designed to work with large volumes of information. These systems offer functions such as backup, streaming media transmission, and setting up metabolic parameters.

ZYXEL NAS is typically used by small and medium-sized enterprises that require solutions for data management, remote work, and collaboration. It is also in demand among certain IT specialists, videographers, and digital artists dealing with large files.

In a Security Bulletin published on November 30, ZYXEL warns of the following vulnerabilities affecting the NAS326 devices:

  • CVE-2023-35137: Vulnerability in the Authentication module of the ZYXEL NAS devices, allowing unauthorized attackers to obtain system information through a specially created URL (CVSS 7.5 rating)
  • CVE-2023-35138: Vulnerability in the “Show_ZYSYNC_SERVER_CONTENTS” function of the ZYXEL NAS devices, allowing unauthorized attackers to execute OS commands through a specially created HTTP post (CVSS 9.8 rating)
  • CVE-2023-37927: Vulnerability in the CGI program of the ZYXEL NAS devices, allowing authenticated attackers to execute OS commands using a specially created URL (CVSS 8.8 rating)
  • CVE-2023-37928: Vulnerability in the WSGI server of the ZYXEL NAS devices, allowing authenticated attackers to execute OS commands through a specially created URL (CVSS 8.8 rating)
  • CVE-2023-4473: Vulnerability in the web server of the ZYXEL NAS devices, allowing unauthorized attackers to execute OS commands through a specially created URL (CVSS 9.8 rating)
  • CVE-2023-4474: Vulnerability in the WSGI server of the ZYXEL NAS devices, allowing unauthorized attackers to execute OS commands using a specially created URL (CVSS 9.8 rating)
/Reports, release notes, official announcements.