Cyber Resilience

CVE-2023-27992

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 19 June 2023

Published
19 June 2023
Modified
27 October 2025
KEV Added
23 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8653 99.4th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27992 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zyxel Nas326 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-27992 is a pre-authentication command injection vulnerability (CWE-78) affecting Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0. The flaw resides in the handling of crafted HTTP requests that permit arbitrary operating system command execution without requiring authentication.

An unauthenticated remote attacker can exploit the issue over the network by sending a maliciously formatted HTTP request, achieving full control over the affected NAS device including the ability to read, modify, or delete data and execute arbitrary OS commands with high impact to confidentiality, integrity, and availability.

Zyxel’s security advisory directs customers to upgrade the listed NAS models to the specified patched firmware releases. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation.

The associated EPSS score has reached a sustained high of 0.8653, indicating substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely…

more

by sending a crafted HTTP request.

CWE(s)
KEV Date Added
23 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
nas326 firmware
≤ 5.21\(aazf.14\)c0
zyxel
nas540 firmware
≤ 5.21\(aatb.11\)c0
zyxel
nas542 firmware
≤ 5.21\(abag.11\)c0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor firmware updates that eliminate the pre-auth command injection flaw.

prevent

Mandates validation and sanitization of HTTP input parameters, blocking the crafted requests used for OS command injection.

prevent

Enforces authentication and authorization checks before any command-processing logic, preventing the unauthenticated exploitation path.

References