Zyxel Networks Releases Security Advisory for Authentication Bypass and Command Injection Vulnerabilities in NAS Products

On November 30, 2023, Zyxel Networks released a security advisory addressing several vulnerabilities in their NAS (Network Attached Storage) products. The vulnerabilities include an authentication bypass vulnerability (CVE-2023-35137) and command injection vulnerabilities (CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474).

The authentication bypass vulnerability (CVE-2023-35137) could allow an unauthenticated attacker to obtain system information by exploiting an improper authentication flaw in the authentication module of Zyxel NAS devices. This can be achieved by sending a crafted URL to a vulnerable device.

The command injection vulnerabilities (CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474) allow both authenticated and unauthenticated attackers to execute arbitrary operating system (OS) commands. These vulnerabilities exist in different components of Zyxel NAS devices, such as the “show_zysync_server_contents” function, the CGI program, and the web server.

To mitigate the risks associated with these vulnerabilities, Zyxel has released firmware patches for the affected products. Users are strongly advised to install these patches to ensure optimal protection against potential attacks.

For more information or assistance, users can contact their local service representative or visit Zyxel’s Community website.

Zyxel would like to acknowledge the security researchers and consultancies, such as Maxim Suslov, Gábor Selján from BugProve, and Drew Balfour from IBM X-Force, for their contributions in identifying and reporting these vulnerabilities.

This is the initial release of the security advisory, dated November 30, 2023.

CVEs: CVE-2023-35137CVE-2023-35138CVE-2023-37927CVE-2023-37928CVE-2023-4473CVE-2023-4474

What are the vulnerabilities?

CVE-2023-35137

An improper authentication vulnerability in the authentication module in Zyxel NAS devices could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

CVE-2023-35138

A command injection vulnerability in the “show_zysync_server_contents” function in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVE-2023-37927

The improper neutralization of special elements in the CGI program in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-37928

A post-authentication command injection vulnerability in the WSGI server in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-4473

A command injection vulnerability in the web server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-4474

The improper neutralization of special elements in the WSGI server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

What versions are vulnerable—and what should you do?

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.

Affected modelAffected versionPatch availability
NAS326V5.21(AAZF.14)C0 and earlierV5.21(AAZF.15)C0
NAS542V5.21(ABAG.11)C0 and earlierV5.21(ABAG.12)C0