Critical Vulnerability in Zyxel NAS Products

Published on 07 Sep 2022

Updated on 07 Sep 2022

Zyxel has released security updates to address a critical format string vulnerability (CVE-2022-34747) in their Network Attached Storage (NAS) products. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.

The format string vulnerability is present in a specific binary of Zyxel NAS products and could allow an attacker to perform unauthorised Remote Code Execution (RCE) via a crafted UDP packet.

The following products are affected by this vulnerability:
-   NAS326: V5.21(AAZF.11)C0 and earlier
-   NAS540: V5.21(AATB.8)C0 and earlier
-   NAS542: V5.21(ABAG.8)C0 and earlier

Users and administrators of affected products are advised to apply the relevant patches immediately.

More information is available here:
https://www.zyxel.com/support/Zyxel-security-advisory-for-format-string-vulnerability-in-NAS.shtml