Taiwanese networking device vendor Zyxel has posted security warnings for major vulnerabilities haunting users of its firewalls, access points and network access storage (NAS) devices.
Zyxel, a company that has struggled with software security problems, documented at least 15 security flaws in a range of products and warned that unpatched devices are at risk of authentication bypass, command injection and denial-of-service attacks.
The company is calling special attention to exposed attack surfaces in its firewalls and access points, warning that multiple devices can be exploited to access configuration files, steal sensitive cookies, launch denial-of-service conditions or execute commands.
In some cases, Zyxel said its firewalls and access points could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device or access the administrator’s logs on an affected device.
The hardware vendor also shipped a second bulletin to warn of authentication bypass vulnerability and command injection vulnerabilities in two NAS (network attached storage) products.
In all, Zyxel documented six separate flaws in the NAS226 and NAS542 cloud storage devices, noting that attackers can exploit the flaws to capture sensitive system information or execute some operating system (OS) commands via booby-trapped URLs.
Security defects in Zyxel products feature prominents in the CISA KEV (Known Exploited Vulnerabilities) catalog and the company has acknowledged its devices have been ensnared in multiple DDoS-capable botnets.