A Zyxel security bulletin issued on 30 November 2023, reports several vulnerabilities affecting Zyxel network-attached storage (NAS) devices, specifically the following models and versions:
NAS326, version V5.21(AAZF.14)C0 and earlier
NAS542, version V5.21(ABAG.11)C0 and earlier
The vulnerabilities enable an unauthenticated remote attacker to achieve command injection. Commands sent via HTTP POST request or crafted URLs would be executed as operating system commands.
The table below summarizes the specifics for each vulnerability:
Tracking Number | CVSS | Vector and Privilege Required |
7.5 | Network; no privilege or user interaction required | |
9.8 | Network; no privilege or user interaction required | |
9.8 | Network; no privilege or user interaction required | |
8.8 | Network; no privilege or user interaction required | |
9.8 | Network; no privilege or user interaction required | |
9.8 | Network; no privilege or user interaction required |