Zyxel Releases Unscheduled Update to Fix Critical Vulnerability in NAS Devices

Zyxel developers have released an unscheduled update to fix a critical vulnerability in NAS devices. The issue, identified as CVE-2023-27992 (CVSS score of 9.8), may lead to the execution of arbitrary commands on affected systems.

Affected Devices and Firmware

The bug is reported to affect the following devices and firmware:
NAS326 – affects firmware V5.21(AAZF.13)C0 and earlier, fixed in version V5.21(AAZF.14)C0;
NAS540 – affects firmware V5.21(AATB.10)C0 and earlier, fixed in version V5.21(AATB.11)C0;
NAS542 – Affects firmware V5.21(ABAG.10)C0 and earlier, fixed in V5.21(ABAG.11)C0.

Mitigation Measures

The manufacturer does not say if there are any measures to mitigate the vulnerability or workarounds that allow you to protect yourself without installing a patch. Instead, users of affected NAS are simply advised to install available security updates as soon as possible.
Let me remind you that quite recently another vulnerability in Zyxel firewalls was actively exploited by the Mirai botnet, and two more critical vulnerabilities in several firewalls and VPN companies (CVE-2023-33009 and CVE-2023-33010) were added by the US Agency for Cybersecurity and Infrastructure Security (CISA) to the Known Exploited Vulnerabilities (KEV) catalog, meaning the bugs were already under attack by hackers.
In this regard, now owners of vulnerable NAS are not recommended to make them available from the Internet, but to use them only from a local network or via VPN.
Zyxel is a Taiwanese manufacturer of network hardware and software. It has been providing products and services to businesses, government agencies, and consumers since 1989. The company’s products include routers, switches, firewalls, wireless access points, and other networking solutions.
Recently, Zyxel developers have released an unscheduled update to fix a critical vulnerability in NAS devices. The issue, identified as CVE-2023-27992 (CVSS score of 9.8), may lead to the execution of arbitrary commands on affected systems.
The bug is reported to affect the following devices and firmware: NAS326, NAS540, and NAS542. Affected firmware versions include V5.21(AAZF.13)C0, V5.21(AATB.10)C0, and V5.21(ABAG.10)C0, respectively. The manufacturer has released security updates to fix the issue in each of these versions.
Unfortunately, the company does not provide any measures to mitigate the vulnerability or workarounds that allow users to protect themselves without installing a patch. As such, users of affected NAS are advised to install available security updates as soon as possible.
This is not the first time Zyxel has had to release an unscheduled update to fix a critical vulnerability. In fact, quite recently another vulnerability in Zyxel firewalls was actively exploited by the Mirai botnet. Additionally, two more critical vulnerabilities in several firewalls and VPN companies (CVE-2023-33009 and CVE-2023-33010) were added by the US Agency for Cybersecurity and Infrastructure Security (CISA) to the Known Exploited Vulnerabilities (KEV) catalog, meaning the bugs were already under attack by hackers.
Given this, owners of vulnerable NAS are not recommended to make them available from the Internet, but to use them only from a local network or via VPN. This will help to ensure that their devices are not exposed to potential attackers.
In conclusion, Zyxel developers have released an unscheduled update to fix a critical vulnerability in NAS devices. The issue, identified as CVE-2023-27992 (CVSS score of 9.8), may lead to the execution of arbitrary commands on affected systems. Affected users are advised to install available security updates as soon as possible. Additionally, owners of vulnerable NAS are not recommended to make them available from the Internet, but to use them only from a local network or via VPN.