VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 30, 2023· Updated Feb 13, 2025

CVE-2023-37928

CVE-2023-37928

Description

A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Post-authentication command injection in Zyxel NAS326 and NAS542 WSGI server allows authenticated attackers to execute OS commands via crafted URL.

Vulnerability

CVE-2023-37928 is a post-authentication command injection vulnerability in the WSGI server of Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0. The vulnerability arises from improper neutralization of special elements in the WSGI server, allowing an authenticated attacker to inject OS commands through a crafted URL [1][2]. The affected products are within their vulnerability support period [2].

Exploitation

An attacker must first authenticate to the NAS device. After authentication, the attacker sends a specially crafted URL to the vulnerable WSGI server, which executes arbitrary OS commands. No additional user interaction is required beyond the initial authentication [1][2]. The disclosure timeline indicates that this vulnerability was reported after an incomplete fix for a previous CVE [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the device. This can lead to full system compromise, including privilege escalation, data exfiltration, and potential lateral movement within the network [1][2].

Mitigation

Zyxel released firmware version V5.21(AAZF.15)C0 on November 16, 2023, which fixes this vulnerability [2]. Users are advised to update their NAS devices to the latest firmware. No workarounds are available for unpatched devices [1][2].

References
  1. Post-Authentication Vulnerabilities in Firmware: Risks, Exploitation & Prevention
  2. Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products | Zyxel Networks

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Zyxel/NAS326llm-fuzzy
    Range: = V5.21(AAZF.14)C0
  • Zyxel/NAS542llm-fuzzy
    Range: = V5.21(ABAG.11)C0
  • Zyxel/NAS326 firmwarev5
    Range: V5.21(AAZF.14)C0
  • Zyxel/NAS542 firmwarev5
    Range: V5.21(ABAG.11)C0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.