Zyxel has released security updates to address a critical format string vulnerability (CVE-2022-34747) in their Network Attached Storage (NAS) products. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
The format string vulnerability is present in a specific binary of Zyxel NAS products and could allow an attacker to perform unauthorised Remote Code Execution (RCE) via a crafted UDP packet.
The following products are affected by this vulnerability:
- NAS326: V5.21(AAZF.11)C0 and earlier
- NAS540: V5.21(AATB.8)C0 and earlier
- NAS542: V5.21(ABAG.8)C0 and earlier
Users and administrators of affected products are advised to apply the relevant patches immediately.
More information is available here: