8 matches found
Zyxel NAS < 5.21 / USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 RCE (CVE-2020-9054)
Firmware version of the Zyxel USG, ATP, ZyWALL or VPN is less than 4.35 or the version of Zyxel NAS is less than 5.21. This Zyxel device firmware is missing authentication logic which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an...
Command injection
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100W firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1,...
Zyxel Flaw Powers New Mirai IoT Botnet Strain
In February, hardware maker Zyxel fixed a zero-day vulnerability in its routers and VPN firewall products after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited ...
New Mirai Variant 'Mukashi' Targets Zyxel NAS Devices
Another variant of the shape-shifting Mirai botnet is attacking Zyxel network-attached storage NAS devices using a critical vulnerability that was only recently discovered, according to security researchers. The variant, dubbed Mukashi, takes advantage of a pre-authentication command injection...
New Mirai Variant 'Mukashi' Targets Zyxel NAS Devices
Another variant of the shape-shifting Mirai botnet is attacking Zyxel network-attached storage NAS devices using a critical vulnerability that was only recently discovered, according to security researchers. The variant, dubbed Mukashi, takes advantage of a pre-authentication command injection...
CVE-2020-9054
CVE-2020-9054 (ZyXEL NAS) affects ZyXEL NAS devices on firmware v5.21 and earlier (NAS326, NAS520, NAS540, NAS542) where the weblogin.cgi authentication path fails to sanitize the username, enabling pre-authentication command injection. The vulnerability can allow an unauthenticated remote attack...
ZyXEL NAS Command Injection (CVE-2020-9054)
A command injection vulnerability exists in Multiple ZyXEL network-attached storage NAS devices. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...
VU#498544 ZyXEL pre-authentication command injection in weblogin.cgi
” Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to...