Critical RCE Vulnerability Affects Zyxel NAS Devices – Firmware Patch Released

Network equipment maker Zyxel has released patches for a critical security flaw affecting its network-attached storage (NAS) devices.

Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a “format string vulnerability” affecting models NAS326, NAS540, and NAS542. Zyxel credited researcher Shaposhnikov Ilya for pointing out the flaw.

“A format string vulnerability has been found in a specific binary of Zyxel NAS products that could allow an attacker to execute unauthorized remote code via a specially crafted UDP packet,” the company said in an advisory posted on September 6.

cyber security

The flaw affects the following versions –

  • NAS326 (V5.21(AAZF.11)C0 and earlier)
  • NAS540 (V5.21(AATB.8)C0 and earlier) and
  • NAS542 (V5.21(ABAG.8)C0 and earlier)

The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities (CVE-2022-30526 and CVE-2022-2030) affecting its firewall products in July.

Hacking NAS devices is becoming a common practice. If you don’t take precautions or keep the software up to date, attackers can steal your sensitive and personal data. In some cases, they even manage to permanently delete data.

In June 2022, it also patched a security vulnerability (CVE-2022-0823) that made GS1200 series switches vulnerable to password guessing attacks via a synchronization side channel attack.

Source link