← Retour aux CVEs
CVE-2023-27992
CRITICALCISA KEV9.8
Description
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie6/19/2023
Derniere modification10/27/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurZyxel
ProduitMultiple Network-Attached Storage (NAS) Devices
Nom vulnerabiliteZyxel Multiple NAS Devices Command Injection Vulnerability
Date ajout KEV2023-06-23
Date limite remediation2023-07-14
Utilise dans ransomwareUnknown
Produits affectes
zyxel:nas326zyxel:nas326_firmwarezyxel:nas540zyxel:nas540_firmwarezyxel:nas542zyxel:nas542_firmware
Faiblesses (CWE)
CWE-78CWE-78
References
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products(security@zyxel.com.tw)
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27992(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.