Zyxel has launched patches to deal with 15 safety points impacting network-attached storage (NAS), firewall, and entry level (AP) gadgets, together with three essential flaws that might result in authentication bypass and command injection.
The three vulnerabilities are listed beneath –
- CVE-2023-35138 (CVSS rating: 9.8) – A command injection vulnerability that might enable an unauthenticated attacker to execute some working system instructions by sending a crafted HTTP POST request.
- CVE-2023-4473 (CVSS rating: 9.8) – A command injection vulnerability within the internet server that might enable an unauthenticated attacker to execute some working system instructions by sending a crafted URL to a weak gadget.
- CVE-2023-4474 (CVSS rating: 9.8) – An improper neutralization of particular parts vulnerability that might enable an unauthenticated attacker to execute some working system instructions by sending a crafted URL to a weak gadget.
Additionally patched by Zyxel are three high-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928) that, if efficiently exploited, might enable attackers to acquire system info and execute arbitrary instructions. It is value noting that each CVE-2023-37927 and CVE-2023-37928 require authentication.
The failings influence the next fashions and variations –
- NAS326 – variations V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
- NAS542 – variations V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory comes days after the Taiwanese networking vendor shipped fixes for 9 flaws in choose firewall and entry level (AP) variations, a few of which might be weaponized to entry system recordsdata and administrator logs, in addition to trigger a denial-of-service (DoS) situation.
With Zyxel gadgets typically exploited by risk actors, it is extremely beneficial that customers apply the newest updates to mitigate potential threats.
