Networking solutions provider Zyxel has released patches for a critical-severity vulnerability impacting the firmware of multiple network attached storage (NAS) device models.
The security defect, tracked as CVE-2022-34747, carries a CVSS score of 9.8/10 and is publicly documented as a format string vulnerability impacting Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0.
An attacker could exploit the vulnerability by sending specially crafted UDP packets to the affected products. Successful exploitation of the bug could allow an attacker to execute arbitrary code on the impacted device, the company said in an advisory.
“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” the company added.
[ READ: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users ]
Zyxel says its investigationhas identified only three NAS models that are affected and which are within their support lifetime.
The vendor silently patched the vulnerability in mid-August with firmware updates for NAS326, NAS540, and NAS542 device models, but delayed publication of the flaw details until this week.
Zyxel credited security researcher Shaposhnikov Ilya with reporting the vulnerability.
Zyxel’s advisory was published only days after QNAP warned of a new wave of Deadbolt ransomware attacks targeting its NAS users.
NAS devices – which are typically used for storing large amounts of data – are often targeted in ransomware attacks and remote code execution bugs in them could easily lead to complete device compromise.
Previously, Zyxel NAD products were targeted by a variant of the Mirai botnet, in attacks that exploited another critical-severity vulnerability leading to remote code execution.
Related: Details Released for Recently Patched Zyxel Firewall Vulns
Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users
Related: Zyxel Patches Zero-Day Flaw in Network Storage Products

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
