Zyxel addressed a critical vulnerability, tracked as CVE-2022-34747, impacting its network-attached storage (NAS) devices.
The CVE-2022-34747 (CVSS score: 9.8) flaw is classified as a format string vulnerability that resides in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0. An attacker can exploit the vulnerability to achieve unauthorized remote code execution via a crafted UDP packet.
“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet.” reads the advisory published by the vendor.
Below is the list of affected models and the firmware patches released by the company.
|Affected model||Affected version||Patch availability|
|NAS326||V5.21(AAZF.11)C0 and earlier||V5.21(AAZF.12)C0|
|NAS540||V5.21(AATB.8)C0 and earlier||V5.21(AATB.9)C0|
|NAS542||V5.21(ABAG.8)C0 and earlier||V5.21(ABAG.9)C0|
The vulnerability was reported to Zyxel by Shaposhnikov Ilya.
In May 2022, Zyxel released security updates to address multiple vulnerabilities affecting multiple products, including firewall, AP, and AP controller products.
Below is the list of the four vulnerabilities, the most severe one is a command injection flaw in some CLI commands tracked as CVE-2022-26532 (CVSS v3.1 7.8):
(SecurityAffairs – hacking, Zyxel)