** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
The vulnerability (CWE-434 — unrestricted upload of file with dangerous type) lies in the CGI program 'file_upload-cgi' that handles configuration file uploads. An unauthenticated attacker can upload a crafted configuration file to the vulnerable device accessible over the network. Lack of proper file verification allows execution of malicious code contained in the file on the device.
An attacker gains the ability to execute arbitrary code on the vulnerable device from the network without needing any credentials, which may lead to complete takeover of the NAS device along with stored data.
Update Zyxel NAS326 firmware to version V5.21(AAZF.17)C0 or later, and Zyxel NAS542 to version V5.21(ABAG.14)C0 or later. Due to the end-of-support status of these devices, replacing them with actively supported models is recommended. Until the patch is applied, restrict network access to the device management interface — especially block exposure to the public internet.
Zyxel NAS326 with firmware versions prior to V5.21(AAZF.17)C0 and Zyxel NAS542 with firmware versions prior to V5.21(ABAG.14)C0. The manufacturer marked these devices as UNSUPPORTED at the time of vulnerability assignment.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZyxel Nas326
HWZyxelwszystkie wersjeZyxel Nas326 Firmware
OSZyxel< 5.21\(aazf.17\)c0Zyxel Nas542
HWZyxelwszystkie wersjeZyxel Nas542 Firmware
OSZyxel< 5.21\(abag.14\)c0
Related vulnerabilities
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AA...
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...
Command injection w Zyxel NAS326/NAS542 — zdalne wykonanie poleceń OS
Command injection w parametrze setCookie urządzeń Zyxel NAS326/NAS542
Command injection w Zyxel NAS326/NAS542 — nieuwierzytelnione RCE