Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Zyxel says multiple NAS devices suffering from cybersecurity flaws

Red padlock open on electric circuits network dark red background.

Zyxel says it has discovered and addressed half a dozen vulnerabilities affecting two of its network-attached storage (NAS) devices.

Out of the six flaws, three are of critical severity, and allow threat actors to run operating system commands without authentication. In other words, they could abuse the flaw to install malware or extract information from the endpoint.

The bugs are tracked as CVE-2023-35137 (severity score 7.5), CVE-2023-35138 (9.8), CVE-2023-37927 (8.8), CVE-2023-37928 (8.8), CVE-2023-4473 (9.8), and CVE-2023-4474 (9.8). More details about the vulnerabilities can be found here.

Plenty of personal data

The affected devices are NAS326 running version 5.21(AAZF.14)C0 and earlier, and NAS542, running version 5.21(ABAG.11)C0 and earlier.

The only way to fix the issues is to upgrade to the recommended versions - V521(AAZF.15)C0 or later for NAS326, and V5.21(ABAG.12)C0 or later for NAS542. There are no mitigations and no workarounds. The only way to address the flaws is by updating the firmware, Zyxel said.

NAS devices are usually used by small and medium-sized businesses (SMB) to manage their data, facilitate remote work, or enable different collaboration options. Some businesses use it for data redundancy systems, too, BleepingComputer explains. They are built for high data volumes, it added. 

This also makes them a prime target for cybercriminals. In June this year, IoT cybersecurity company Sternum identified a security vulnerability affecting Zyxel’s NAS drives NAS326, NAS540, and NAS542 models, all running on firmware version 5.21. 

Last year, QNAP urged its NAS users to patch their endpoints immediately, as newly discovered flaws were being used by threat actors to deploy the Deadbolt ransomware. QNAP’s NAS devices were also found to be vulnerable to the DirtyPipe flaw that caused quite a ruckus last year.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.