Zyxel has just dealt with a handful of vulnerabilities that hit two of its network-attached storage (NAS) devices. Out of the six flaws, three are pretty serious, allowing bad actors to execute operating system commands without any authentication. In simpler terms, they could exploit this weakness to sneak in malware or grab data from the endpoint.
The bugs go by the names CVE-2023-35137 (with a severity score of 7.5), CVE-2023-35138 (9.8), CVE-2023-37927 (8.8), CVE-2023-37928 (8.8), CVE-2023-4473 (9.8), and CVE-2023-4474 (9.8). For the nitty-gritty on these vulnerabilities, you can dig into the details here.
The NAS devices in the spotlight are the NAS326 (running version 5.21(AAZF.14)C0 and earlier) and the NAS542 (running version 5.21(ABAG.11)C0 and earlier).
To fix these issues, the only way to go is to upgrade to the recommended versions – V521(AAZF.15)C0 or later for NAS326 and V5.21(ABAG.12)C0 or later for NAS542. No mitigations or workarounds here – the only ticket out is updating the firmware, according to Zyxel.
NAS devices are a staple for small and medium-sized businesses (SMBs), helping them manage data, support remote work, and enable collaboration. Some even use these devices for data redundancy systems. But here’s the catch – their heavy data use also makes them a sweet target for cybercriminals. Just in June this year, Sternum, an IoT cybersecurity company, spotted a security vulnerability affecting Zyxel’s NAS drives. It seems like keeping an eye on these devices is becoming increasingly crucial in the ever-evolving cybersecurity landscape.
