CVE-2023-5372
Published: 30 January 2024
Summary
CVE-2023-5372 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Nas326 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2023-5372 is a post-authentication command injection issue, tracked under CWE-78, that affects the web management interface of Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0. An authenticated administrator can supply a specially crafted query parameter in a URL request to cause the device to execute arbitrary operating system commands.
An attacker who already possesses valid administrator credentials on an exposed device can leverage this flaw over the network to achieve full control of the underlying operating system, including the ability to read, modify, or delete data and potentially pivot further into the environment. The CVSS 3.1 score of 7.2 reflects the high impact on confidentiality, integrity, and availability when the attack succeeds.
Zyxel’s security advisory published on 30 January 2024 addresses the issue in the affected NAS products and directs administrators to apply the available firmware updates or configuration changes referenced in the advisory to eliminate the command-injection vector. The associated EPSS values remain near 0.10 with negligible movement between the recorded peak and current figures.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-57688
Vulnerability details
The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached…
more
to the URL of an affected device’s web management interface.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.