Earlier this week, Zyxel said it had discovered and addressed half a dozen vulnerabilities affecting two of its Network-Attached Storage (NAS) devices.
Of the six flaws, three are of critical severity, allowing threat actors to execute operating system commands without authentication. In other words, they could exploit the flaw to install malware or extract information from the endpoint.
The bugs are tracked as CVE-2023-35137 (severity score 7.5), CVE-2023-35138 (9.8), CVE-2023-37927 (8.8), CVE-2023-37928 (8.8), CVE-2023-4473 (9.8). ), and CVE-2023-4474 (9.8). More details about the vulnerabilities can be found here.
Lots of personal information
The affected devices are NAS326, running version 5.21(AAZF.14)C0 and earlier, and NAS542, running version 5.21(ABAG.11)C0 and earlier.
The only way to resolve the issues is to upgrade to the recommended versions: V521(AAZF.15)C0 or higher for NAS326, and V5.21(ABAG.12)C0 or higher for NAS542. There are no solutions and no solutions. The only way to address the shortcomings is to update the firmware, Zyxel said.
NAS devices are typically used by small and medium-sized businesses (SMBs) to manage their data, facilitate remote working, or enable various collaboration options. Some companies also use it for data redundancy systems, BleepingComputer explains. They are built for high data volumes, it added.
This also makes them a prime target for cybercriminals. In June this year, IoT cybersecurity company Sternum identified a security issue affecting Zyxel's NAS drives NAS326, NAS540 and NAS542, all running on firmware version 5.21.
Last year, QNAP urged its NAS users to immediately patch their endpoints as newly discovered flaws were being used by threat actors to deploy the Deadbolt ransomware. QNAP's NAS devices were also found to be vulnerable to the DirtyPipe flaw that caused quite a stir last year.