SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Zyxel NAS Products’ Command Injection Vulnerability CVE-2023-27992


Jun 21, 2023
3 Mins Read

What Do You Need to Know About Zyxel NAS Products’ Command Injection Vulnerability CVE-2023-27992

Recently, a significant vulnerability was discovered in Zyxel NAS326, NAS540, and NAS542 firmware versions that could lead to a severe security risk. Known as CVE-2023-27992, this pre-authentication command injection vulnerability poses a critical threat, with a CVSS base score of 9.8, indicating a high level of severity.

What is CVE-2023-27992?

The pre-authentication command injection vulnerability was discovered in Zyxel’s NAS products, specifically NAS326, NAS540, and NAS542 firmware versions. It allows an unauthenticated attacker to execute operating system (OS) commands remotely by sending a crafted HTTP request. This vulnerability can be exploited with relative ease, making it a serious threat to any organization using these versions of Zyxel NAS products.

Impacted Products by CVE-2023-27992

The following Zyxel NAS products and versions are affected by this vulnerability:

  • NAS326 with version V5.21(AAZF.13)C0 and earlier
  • NAS540 with version V5.21(AATB.10)C0 and earlier
  • NAS542 with version V5.21(ABAG.10)C0 and earlier
  • Are there any exploits in the wild for CVE-2023-27992?

    As of the time of writing, there are no known exploits for this vulnerability in the wild. However, due to the severity and the ease of exploitation of the vulnerability, it is likely that threat actors could soon start exploiting it if they haven’t already. This section will be updated as soon as new information becomes available.

    Are there any threat actors actively exploiting CVE-2023-27992?

    There are no known threat actors actively exploiting this vulnerability at the moment. Nonetheless, the high severity of the vulnerability indicates that it could potentially be a target for malicious actors. Organizations should remain vigilant and monitor for any suspicious activities.

    How to Detect CVE-2023-27992

    If the Zyxel NAS products and specific versions mentioned above are in use within your setup, you are susceptible to this vulnerability.

    How to Mitigate CVE-2023-27992

    Zyxel has already released patches to address the pre-authentication command injection vulnerability in the affected NAS versions:

  • NAS326 with version V5.21(AAZF.14)C0
  • NAS540 with version V5.21(AATB.11)C0
  • NAS542 with version V5.21(ABAG.11)C0
  • Users are strongly advised to install these patches for optimal protection. However, Zyxel does not mention any other workarounds or mitigations.

    How Can SOCRadar Help?

    SOCRadar helps organizations for staying up-to-date on the latest security threats and vulnerabilities. It gathers information on all known vulnerabilities and presents it in a way that is easy to act upon, using alerts to help you prioritize your actions and stay informed about any potential threats to your organization. 

    You can utilize SOCRadar’s Vulnerability Intelligence module to access detailed information on vulnerabilities, allowing you to effectively manage any related issues and prioritize the necessary patches.

    SOCRadar’s Vulnerability Intelligence 

    Additionally, with SOCRadar’s Attack Surface Management, you have the capability to monitor vulnerabilities in automatically identified products within your organization’s digital footprint in real time. This empowers security teams to take a proactive approach toward prioritizing vulnerabilities by accessing contextual intelligence.

    Company Vulnerabilities on SOCRadar