CVE-2023-27992

2023-06-1911:42:41

CWE-78

Zyxel

www.cve.org

zyxel

nas326

nas540

nas542

firmware

pre-authentication

command injection

vulnerability

cve-2023-27992

os commands

http request

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.03 Low

EPSS

Percentile

91.0%

JSON

The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "NAS326 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "< V5.21(AAZF.14)C0"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "NAS540 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "< V5.21(AATB.11)C0"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "NAS542 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "< V5.21(ABAG.11)C0"
      }
    ]
  }
]