critical-rce-vulnerability-affects-zyxel-nas-devices-—-firmware-patch-released

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices.

Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a “format string vulnerability” affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.

“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” the company said in an advisory released on September 6.

The flaw affects the following versions –

  • NAS326 (V5.21(AAZF.11)C0 and earlier)
  • NAS540 (V5.21(AATB.8)C0 and earlier), and
  • NAS542 (V5.21(ABAG.8)C0 and earlier)

The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities (CVE-2022-30526 and CVE-2022-2030) affecting its firewall products in July.

In June 2022, it also remediated a security vulnerability (CVE-2022-0823) that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.

Zyxel’s advisory comes days after QNAP warned of a new wave of DeadBolt ransomware attacks targeting its NAS users by weaponizing a previously unknown flaw in its Photo Station software.

Hacking NAS devices is becoming a common practice. If you don’t take precautions or keep the software up to date, attackers can steal your sensitive and personal data. In some instances, they even manage to permanently delete data.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…