VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 30, 2023· Updated Dec 16, 2025

CVE-2023-4473

CVE-2023-4473

Description

A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated command injection in Zyxel NAS326 and NAS542 web server allows OS command execution via crafted URL.

Vulnerability

A command injection vulnerability exists in the web server of Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0. The flaw allows an unauthenticated attacker to execute arbitrary operating system commands by sending a crafted URL to the vulnerable device [1][2].

Exploitation

An attacker can exploit this vulnerability over the network without any authentication. The attack vector is a crafted HTTP request to the web server, where malicious OS commands are injected via URL parameters. No user interaction or special privileges are required [1][2].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary OS commands with the privileges of the web server process. This can lead to full compromise of the NAS device, including data disclosure, modification, or denial of service [1][2].

Mitigation

Zyxel released firmware version V5.21(AAZF.15)C0 for NAS326 on November 16, 2023, which addresses this vulnerability. Users should update to the latest firmware. No workaround is available [2].

References
  1. Authentication Bypass Vulnerability in Embedded Firmware (Zyxel NAS Case Study)
  2. Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products | Zyxel Networks

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Zyxel/NAS326llm-fuzzy
    Range: = V5.21(AAZF.14)C0
  • Zyxel/NAS542llm-fuzzy
    Range: = V5.21(ABAG.11)C0
  • Zyxel/NAS326 firmwarev5
    Range: V5.21(AAZF.14)C0
  • Zyxel/NAS542 firmwarev5
    Range: V5.21(ABAG.11)C0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.