CVE-2023-37927

Vulnerability

The improper neutralization of special elements in the CGI program of Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 allows an authenticated attacker to inject operating system (OS) commands. The flaw exists in the CGI component that fails to sanitize user-supplied input, enabling command execution when a crafted URL is processed. [1][2]

Exploitation

An attacker must first obtain valid credentials for the NAS device (e.g., via weak password, brute force, or prior compromise). After authentication, the attacker sends a specially crafted HTTP request to a vulnerable CGI endpoint. The crafted URL contains special shell metacharacters or command injection payloads that are not neutralized by the CGI program, leading to execution of arbitrary OS commands on the device. No additional user interaction is required beyond authentication. [1][2]

Impact

Successful exploitation allows the authenticated attacker to execute arbitrary OS commands with the privileges of the CGI process (typically root). This can lead to full compromise of the NAS device, including data exfiltration, malware installation, and further network pivoting. The impact is a complete loss of confidentiality, integrity, and availability of the affected NAS system. [1][2]

Mitigation

Zyxel released patched firmware versions: for NAS326, version V5.21(AAZF.15)C0 on November 16, 2023; for NAS542, a fixed version is included in the same advisory. Users should update to the latest firmware. No workarounds are documented; the manufacturer recommends installing the available patch. [2]