Zyxel says multiple NAS devices suffering from cybersecurity flaws

News
By published

Two Zyxel NAS devices were found vulnerable to six flaws

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Zyxel says it has discovered and addressed half a dozen vulnerabilities affecting two of its network-attached storage (NAS) devices.

Out of the six flaws, three are of critical severity, and allow threat actors to run operating system commands without authentication. In other words, they could abuse the flaw to install malware or extract information from the endpoint.

The bugs are tracked as CVE-2023-35137 (severity score 7.5), CVE-2023-35138 (9.8), CVE-2023-37927 (8.8), CVE-2023-37928 (8.8), CVE-2023-4473 (9.8), and CVE-2023-4474 (9.8). More details about the vulnerabilities can be found here.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Plenty of personal data

The affected devices are NAS326 running version 5.21(AAZF.14)C0 and earlier, and NAS542, running version 5.21(ABAG.11)C0 and earlier.

The only way to fix the issues is to upgrade to the recommended versions - V521(AAZF.15)C0 or later for NAS326, and V5.21(ABAG.12)C0 or later for NAS542. There are no mitigations and no workarounds. The only way to address the flaws is by updating the firmware, Zyxel said.

NAS devices are usually used by small and medium-sized businesses (SMB) to manage their data, facilitate remote work, or enable different collaboration options. Some businesses use it for data redundancy systems, too, BleepingComputer explains. They are built for high data volumes, it added. 

This also makes them a prime target for cybercriminals. In June this year, IoT cybersecurity company Sternum identified a security vulnerability affecting Zyxel’s NAS drives NAS326, NAS540, and NAS542 models, all running on firmware version 5.21. 

Last year, QNAP urged its NAS users to patch their endpoints immediately, as newly discovered flaws were being used by threat actors to deploy the Deadbolt ransomware. QNAP’s NAS devices were also found to be vulnerable to the DirtyPipe flaw that caused quite a ruckus last year.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Security
Zyxel says it won’t patch security flaws in its old routers
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Digital image of a lock.
QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
China
Juniper patches security flaws which could have let hackers take over your router
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Venezuela's forward #09 Jhonder Cadiz celebrates after scoring during the 2026 FIFA World Cup South American qualifiers football match between Ecuador and Venezuela, at the Rodrigo Paz Delgado stadium in Quito, on March 21, 2025 ahead of Venezuela vs Peru

Venezuela vs Peru live stream: how to watch FIFA World Cup 2026 qualifier anywhere online
See more latest
Most Popular
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'