Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. Zyxel NAS Devices Have a Critical RCE Vulnerability.

Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a “format string vulnerability” affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.

The business stated in an alert published on September 6 that “a format string vulnerability was detected in a certain binary of Zyxel NAS systems that could allow an attacker to accomplish unauthorised remote code execution through a forged UDP packet.”

The flaw affects the following versions –

  • NAS326 (V5.21(AAZF.11) C0 and earlier)
  • NAS540 (V5.21(AATB.8) C0 and earlier), and
  • NAS542 (V5.21(ABAG.8) C0 and earlier)

The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities (CVE-2022-30526 and CVE-2022-2030) affecting its firewall products in July.

Hacking NAS equipment is a growing trend. Attackers can take your sensitive and personal data if you don’t take safeguards or keep the programme updated. They even sometimes succeed in permanently erasing data.

In June 2022, it also remediated a security vulnerability (CVE-2022-0823) that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.

Reference