Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status.
Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations.
Impacted models include NAS326 running versions V5.21(AAZF.16)C0 and earlier, and NAS542 running versions V5.21(ABAG.13)C0 and earlier. The shortcomings have been resolved in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0, respectively.
A brief description of the flaws is as follows –
Outpost24 security researcher Timothy Hjort has been credited with discovering and reporting the five flaws. It’s worth noting that the two of the privilege escalation flaws that require authentication remain unpatched.
While there is no evidence that the issues have been exploited in the wild, users are recommended to update to the latest version for optimal protection.
