CVE-2023-27992 – This is a critical pre-authentication command i... (How to Fix)

Q: What is the severity of CVE-2023-27992?

CVE-2023-27992 has a CVSS score of 9.8 (CRITICAL). This is a critical pre-authentication command injection vulnerability in Zyxel NAS devices that allows unauthenticated remote attackers to execute arbitrary operating system commands via crafted HTTP requests. Affected users include anyone running vulnerable Zyxel NAS326, NAS540, or NAS542 firmware versions. The vulnerability requires no authentication and has a CVSS score of 9.8, indicating critical severity.

📋 TL;DR

This is a critical pre-authentication command injection vulnerability in Zyxel NAS devices that allows unauthenticated remote attackers to execute arbitrary operating system commands via crafted HTTP requests. Affected users include anyone running vulnerable Zyxel NAS326, NAS540, or NAS542 firmware versions. The vulnerability requires no authentication and has a CVSS score of 9.8, indicating critical severity.

💻 Affected Systems

Products:

Zyxel NAS326
Zyxel NAS540
Zyxel NAS542

Versions: NAS326 firmware prior to V5.21(AAZF.14)C0, NAS540 firmware prior to V5.21(AATB.11)C0, NAS542 firmware prior to V5.21(ABAG.11)C0

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to internal networks, or use the device as part of a botnet.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or device takeover for malicious activities.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication, making exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks, but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. CISA has added this to their Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NAS326: V5.21(AAZF.14)C0, NAS540: V5.21(AATB.11)C0, NAS542: V5.21(ABAG.11)C0

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products

Restart Required: Yes

Instructions:

1. Download the latest firmware from Zyxel support portal. 2. Log into NAS web interface. 3. Navigate to Maintenance > Firmware Update. 4. Upload and install the firmware file. 5. Reboot the device after installation.

🔧 Temporary Workarounds

Network Isolation

linux

Block all inbound HTTP/HTTPS traffic to the NAS from untrusted networks

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Access Restriction

linux

Restrict NAS web interface access to specific trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Immediately disconnect vulnerable devices from the internet and place behind strict firewall rules
Implement network segmentation to isolate NAS devices from critical systems and monitor for suspicious traffic

🔍 How to Verify

Check if Vulnerable:

Check firmware version in NAS web interface under Maintenance > System Information

Check Version:

Connect to NAS web interface and navigate to Maintenance > System Information

Verify Fix Applied:

Confirm firmware version matches or exceeds the patched versions listed in the fix section

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to NAS web interface
Multiple failed login attempts followed by command execution patterns
Unexpected system processes or file modifications

Network Indicators:

HTTP requests with command injection patterns to NAS devices
Outbound connections from NAS to suspicious IPs
Unusual traffic spikes to NAS web interface

SIEM Query:

source="nas_logs" AND (http_uri="*;*" OR http_uri="*|*" OR http_uri="*`*" OR http_uri="*$(*" OR http_uri="*%3B*" OR http_uri="*%7C*")

📊 Metadata

CVE ID: CVE-2023-27992

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 19, 2023

Last Updated: October 27, 2025

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products Patch,Vendor Advisory
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27992 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27992, you might also want to check these: