Zyxel says it has discovered and addressed half a dozen vulnerabilities affecting two of its network-attached storage (NAS) devices.
Out of the six flaws, three are of critical severity, and allow threat actors to run operating system commands without authentication. In other words, they could abuse the flaw to install malware or extract information from the endpoint.
The bugs are tracked as CVE-2023-35137 (severity score 7.5), CVE-2023-35138 (9.8), CVE-2023-37927 (8.8), CVE-2023-37928 (8.8), CVE-2023-4473 (9.8), and CVE-2023-4474 (9.8). More details about the vulnerabilities can be found here.
Plenty of personal data
The affected devices are NAS326 running version 5.21(AAZF.14)C0 and earlier, and NAS542, running version 5.21(ABAG.11)C0 and earlier.
The only way to fix the issues is to upgrade to the recommended versions - V521(AAZF.15)C0 or later for NAS326, and V5.21(ABAG.12)C0 or later for NAS542. There are no mitigations and no workarounds. The only way to address the flaws is by updating the firmware, Zyxel said.
NAS devices are usually used by small and medium-sized businesses (SMB) to manage their data, facilitate remote work, or enable different collaboration options. Some businesses use it for data redundancy systems, too, BleepingComputer explains. They are built for high data volumes, it added.
This also makes them a prime target for cybercriminals. In June this year, IoT cybersecurity company Sternum identified a security vulnerability affecting Zyxel’s NAS drives NAS326, NAS540, and NAS542 models, all running on firmware version 5.21.
Last year, QNAP urged its NAS users to patch their endpoints immediately, as newly discovered flaws were being used by threat actors to deploy the Deadbolt ransomware. QNAP’s NAS devices were also found to be vulnerable to the DirtyPipe flaw that caused quite a ruckus last year.
More from TechRadar Pro
- Top NAS devices are being targeted by this dangerous malware
- Here's a list of the best firewalls around today
- These are the best malware removal tools right now
