Home / Threat Intelligence bulletins / Zyxel discloses critical vulnerability in NAS devices

Target Industry

Indiscriminate, opportunistic targeting.


Zyxel has disclosed a critical-level security vulnerability within its Network Attached Storage (NAS) devices. The flaw, tracked as CVE-2023-27992 (CVSSv3 Score: 9.8), is a command injection issue that could allow for the execution of operating system commands by threat actors.


Successful exploitation of CVE-2023-27992 could allow an unauthenticated threat actor to execute operating system (OS) commands remotely by sending a crafted HTTP request and, as such, lead to the compromise of target systems.

Vulnerability Detection

Zyxel has released the required security patches for the vulnerability. As such, previous versions are vulnerable to potential exploitation.

Affected Products

– NAS326 – impacts V5.21(AAZF.13)C0 and earlier

– NAS540 – impacts V5.21(AATB.10)C0 and earlier

– NAS542 – impacts V5.21(ABAG.10)C0 and earlier

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected products apply the relevant security updates as soon as possible. These can be found within the Zyxel Advisory.

Threat Landscape

Zyxel occupies a significant proportion of the telephony technology market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Zyxel products could emerge as a prime target for threat actors. Due to the fact that Zyxel products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive information contained therein.

The disclosure of CVE-2023-27992 has occurred just weeks following Zyxel firewalls and virtual private network (VPN) products being subjected to attack campaigns involving the implementation of Mirai botnets. It should be noted that exploitation of the vulnerability reported on does not require authentication and, as such, makes exploitation more convenient for threat actors. With this in mind, it is likely that attackers will attempt to exploit the flaw.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Further Information

Zyxel Advisory


Intelligence Terminology Yardstick