Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices.

Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a “format string vulnerability” affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.

“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” the company said in an advisory released on September 6.

The flaw affects the following versions -

• NAS326 (V5.21(AAZF.11)C0 and earlier)
• NAS540 (V5.21(AATB.8)C0 and earlier), and
• NAS542 (V5.21(ABAG.8)C0 and earlier)

The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities (CVE-2022-30526 and CVE-2022-2030) affecting its firewall products in July.

In June 2022, it also remediated a security vulnerability (CVE-2022-0823) that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.

Zyxel’s advisory comes days after QNAP warned of a new wave of DeadBolt ransomware attacks targeting its NAS users by weaponizing a previously unknown flaw in its Photo Station software.

Hacking NAS devices is becoming a common practice. If you don’t take precautions or keep the software up to date, attackers can steal your sensitive and personal data. In some instances, they even manage to permanently delete data.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.