Security Experts:

Connect with us

Hi, what are you looking for?



Zyxel Patches Zero-Day Vulnerability in Network Storage Products

Networking devices vendor Zyxel has released patches for several network attached storage (NAS) devices to address a critical vulnerability that is already being exploited by cybercriminals.

Networking devices vendor Zyxel has released patches for several network attached storage (NAS) devices to address a critical vulnerability that is already being exploited by cybercriminals.

Tracked as CVE-2020-9054, the issue is a remote code execution flaw that can be exploited without authentication and which resides in the weblogin.cgi CGI executable failing to properly sanitize the username parameter passed to it. 

Thus, if certain characters are included in the username, the vulnerability can be exploited for command injection with the privileges of the web server. An attacker can then leverage a setuid utility included on the device to run any command with root privileges, CERT Coordination Center (CERT/CC) explains. 

“A remote code execution vulnerability was identified in the weblogin.cgi program of Zyxel NAS products running firmware version 5.21 and earlier. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection,” Zyxel explains in an advisory.

A remote attacker could execute arbitrary code on a vulnerable Zyxel device by sending a specially-crafted HTTP POST or GET request. The bug could be triggered even if the attacker does not have direct connectivity to the device (if the device is not exposed to the web), but the victim connects to a malicious website. 

An exploit for the vulnerability has been available for sale on underground forums for a while now, priced at $20,000, security reporter Brian Krebs, who alerted Zyxel, DHS, and CERT/CC on the flaw, reveals. 

Krebs also says that groups specializing in deploying ransomware at scale have shown interest in the exploit, and that the Emotet gang would intend to include the exploit in their malware. 

This week, Zyxel released patches for four of the devices found vulnerable, namely NAS326, NAS520, NAS540, and NAS542. 

However, ten other NAS products from the vendor are no longer supported and won’t receive fixes. These include NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.

Mitigation steps for these devices include blocking access to the web interface (80/tcp and 443/tcp) and ensuring that the NAS is not exposed to the Internet. CERT/CC, which rates the vulnerability as having a CSSV score of 10, also recommends isolating from the Internet any machine that can access the vulnerable web interface.

“Do not leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection,” Zyxel notes. 

Related: Zyxel Devices Can Be Hacked via DNS Requests, Hardcoded Credentials

Related: SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet