CVE-2023-27992

What is Zyxel NAS?

Zyxel NAS (Network-Attached Storage) devices are consumer and small business network storage appliances that provide centralized file storage, backup, and media streaming accessible over a local network and the internet. Zyxel NAS326, NAS540, and NAS542 are Linux-based appliances that run a web-based management interface for configuration and file management. Small businesses and home offices use these devices to store business documents, backups, media libraries, and personal files — often with the management interface exposed directly to the internet for remote access. NAS devices that are internet-accessible and running embedded Linux firmware represent an attractive target class: they have no endpoint detection, often run outdated firmware, and store files directly accessible to ransomware operators.

Overview

CVE-2023-27992 is a pre-authentication OS command injection vulnerability in Zyxel NAS326, NAS540, and NAS542 network-attached storage devices that allows an unauthenticated remote attacker to execute arbitrary OS commands by sending a specially crafted HTTP request. Zyxel published the advisory and patches simultaneously on June 19, 2023. CISA added it to the Known Exploited Vulnerabilities catalog just four days later on June 23 — one of the fastest KEV additions relative to advisory publication, indicating that active exploitation was already underway or imminent at the time of disclosure.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command — OS Command Injection). Zyxel NAS devices run a web-based management interface built on an embedded Linux OS. A command injection vulnerability in the web application's request handling allows an unauthenticated attacker to send an HTTP request containing specially crafted input that is passed unsanitized to a shell command executed on the underlying Linux OS.

No credentials are required — the vulnerable code path is reachable before authentication. Successful exploitation provides the attacker with OS command execution on the NAS device's Linux environment, typically as a privileged user. This allows:

• Reading or exfiltrating all files stored on the NAS
• Encrypting or deleting stored files (ransomware deployment)
• Installing persistent backdoors or botnet malware on the device
• Using the compromised NAS as a pivot point for attacking other systems on the local network

NAS devices running embedded Linux with persistent storage are particularly useful for attackers establishing long-term footholds — the device continues running between user logins and may not be monitored.

Discovery

Discovered and reported to Zyxel by security researchers. Zyxel coordinated the fix and published the advisory and firmware updates simultaneously on June 19, 2023.

Exploitation Context

The 4-day gap between Zyxel's advisory publication (June 19) and CISA's KEV addition (June 23) indicates that CISA had intelligence of active exploitation at or near the time of public disclosure. Zyxel NAS devices are a recurring target for ransomware and cryptomining botnet operators: Zyxel NAS vulnerabilities in 2020, 2022, and 2023 have all been rapidly weaponized after public disclosure, with attackers exploiting internet-accessible appliances before owners apply firmware updates.

The firmware update process for NAS devices requires manual action by the device owner — consumer and small business NAS devices typically lack automatic update mechanisms. This creates a persistent exploitation window, particularly for devices owned by non-technical users who may not monitor security advisories.

Remediation

1. Update NAS326 to firmware V5.21(AAZF.14)C0 or later, NAS540 to V5.21(AATB.11)C0 or later, NAS542 to V5.21(ABAG.11)C0 or later via the device's firmware update mechanism.
2. If the management interface is internet-accessible, immediately restrict access via router/firewall rules — NAS management interfaces should not be directly reachable from the internet.
3. Enable remote access via VPN rather than direct internet exposure if remote NAS access is needed.
4. Review the device's running processes and scheduled tasks for signs of installed backdoors or cryptominers.
5. Check file system integrity — look for unexpected files added in system directories (particularly in /tmp, /var, or web root directories).
6. Ensure the NAS admin account password is strong and changed after patching — default or weak passwords compound the risk if command injection is combined with persistence mechanisms.