VYPR
← All advisories
Unrated severityNVD Advisory· Published May 30, 2023· Updated Jan 14, 2025

CVE-2023-27988

CVE-2023-27988

Description

The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Post-authentication command injection in Zyxel NAS326 firmware prior to V5.21(AAZF.13)C0 allows admin to execute OS commands.

Vulnerability

A post-authentication command injection vulnerability exists in the web management interface of Zyxel NAS326 devices. The issue affects firmware versions prior to V5.21(AAZF.13)C0. An authenticated attacker with administrator privileges can exploit this flaw to inject arbitrary operating system commands. [1]

Exploitation

To exploit the vulnerability, an attacker must first obtain valid administrator credentials for the NAS326 device. Once authenticated, the attacker can send crafted HTTP requests to the web management interface, which fails to properly sanitize user input, allowing injection of OS commands. The commands are executed with the privileges of the web server process, typically root. [1]

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary OS commands remotely on the affected device. This can lead to full compromise of the NAS, including data exfiltration, modification, or denial of service. The attacker gains complete control over the device. [1]

Mitigation

Zyxel has released firmware version V5.21(AAZF.13)C0 to address this vulnerability. Users are advised to update their NAS326 devices to this version or later. No workarounds are available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]

References
  1. Zyxel security advisory for post-authentication command injection vulnerability in NAS products | Zyxel Networks

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zyxel/NAS326llm-fuzzy
    Range: < V5.21(AAZF.13)C0
  • Zyxel/NAS326 firmwarev5
    Range: < V5.21(AAZF.13)C0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.