Cyber Resilience

CVE-2023-5372

HighRCE

Published: 30 January 2024

Published
30 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1012 93.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5372 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Nas326 Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2023-5372 is a post-authentication command injection issue, tracked under CWE-78, that affects the web management interface of Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0. An authenticated administrator can supply a specially crafted query parameter in a URL request to cause the device to execute arbitrary operating system commands.

An attacker who already possesses valid administrator credentials on an exposed device can leverage this flaw over the network to achieve full control of the underlying operating system, including the ability to read, modify, or delete data and potentially pivot further into the environment. The CVSS 3.1 score of 7.2 reflects the high impact on confidentiality, integrity, and availability when the attack succeeds.

Zyxel’s security advisory published on 30 January 2024 addresses the issue in the affected NAS products and directs administrators to apply the available firmware updates or configuration changes referenced in the advisory to eliminate the command-injection vector. The associated EPSS values remain near 0.10 with negligible movement between the recorded peak and current figures.

EU & UK References

Vulnerability details

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached…

more

to the URL of an affected device’s web management interface.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
nas326 firmware
≤ 5.21\(aazf.16\)c0
zyxel
nas542 firmware
≤ 5.21\(abag.13\)c0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References