CVE-2023-27988

The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely.

Published: May 30, 2023
Updated: Jun 3, 2023
CVE: CVE-2023-27988
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
zyxel / nas326_firmware	-	5.21\(aazf.13\)c0
zyxel / nas540_firmware	-	5.21\(aatb.10\)c0
zyxel / nas542_firmware	-	5.21\(abag.10\)c0

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products

Vulnerability Database

290,020

CVE-2023-27988