CVE-2022-34747: Zyxel NAS products unauthorized remote code execution flaw
Networking equipment maker Zyxel has released security updates for a critical vulnerability affecting its NAS products that could enable an attacker to take control of the devices.
The flaw has been assigned the identifier CVE-2022-34747. Credited with reporting the bug is Shaposhnikov Ilya. The bug has received a CVSS v3 severity score of 9.8, rated critical, but not many details have been disclosed. By sending a specially-crafted UDP packet, an attacker could exploit this vulnerability to execute arbitrary code on the system.
“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” Zyxel said in an advisory.
Image: Zyxel
Remote code execution allows a threat actor to execute this remote code on a target machine across the internet, wide area network (WAN), or local area network (LAN). Remote code execution usually occurs due to malicious malware downloaded by the host and can happen regardless of the device’s geographic location.
The following Zyxel products are impacted by the CVE-2022-34747
| Affected model | Affected version | Patch availability |
|---|---|---|
| NAS326 | V5.21(AAZF.11)C0 and earlier | V5.21(AAZF.12)C0 |
| NAS540 | V5.21(AATB.8)C0 and earlier | V5.21(AATB.9)C0 |
| NAS542 | V5.21(ABAG.8)C0 and earlier | V5.21(ABAG.9)C0 |
Zyxel has already released security updates for the impacted devices in the form of firmware updates. It’s recommended that users install the firmware updates to prevent any potential threats.
