Authentication bypass and multiple injection vulnerabilities in Zyxel's NAS devices

Posted on by Gabor Seljan 3 mins read

TL;DR

I uncovered and reported multiple bugs affecting Zyxel NAS326 and NAS542 devices, while I was working at BugProve as a vulnerability researcher. The vulnerabilities reported in these models reflect a progression of critical security issues and a deeper systemic weakness in the web management interface, exposing the devices to various forms of exploitation.

Description

The most impactful among them was CVE-2023-4473, an authentication bypass vulnerability that allowed remote attackers to access the device without valid credentials by simply appending /favicon.ico to any path requested. When chained with other injection vulnerabilities such as CVE-2023-4474, a blind OS command injection issue, it enabled unauthenticated users to perform remote code execution as the root user. These vulnerabilities affected devices running firmware version V5.21(AAZF.14)C0 or V5.21(ABAG.11)C0 and earlier. See the archived technical analysis of these vulnerabilities for more information.

I also discovered CVE-2023-37927 and CVE-2023-37928, which exposed blind OS command and Python code injection flaws exploitable by authenticated users. These vulnerabilities allowed remote execution of arbitrary code in core services such as the WSGI server (running as the root user) and the web server (running as the nobody user). Devices running V5.21(AAZF.14)C0 or V5.21(ABAG.11)C0 and earlier were vulnerable to these issues as well. See the archived technical analysis of these vulnerabilities for more information.

Zyxel grouped the fixes for these vulnerabilities into a single security update, which is documented in their official security advisory for authentication bypass and command injection vulnerabilities in their NAS products.

The final finding in this series, CVE-2023-5372, stemmed from blind Python code injection in the service and package management mechanisms of the web interface. Attackers could craft malicious query parameters that triggered code execution as the root user within functions like manipulate_services(), manipulate_services_dependency(), and manipulate_packages() in the appzone_main_model.py component. This vulnerability affected devices running V5.21(AAZF.15)C0 or V5.21(ABAG.12)C0 and earlier. See the archived technical analysis of these vulnerabilities for more information.

It’s important to note that both the NAS326 and NAS542 models reached end-of-support on December 31, 2023. Although additional firmware updates were released to address security flaws, these devices are no longer supported and will not receive further fixes.

Together, these vulnerabilities demonstrated how chained weaknesses, spanning authentication, input validation, and privilege boundaries, can result in full device compromise. Identifying and reporting them at BugProve contributed to remediation efforts and raised broader awareness about systemic security risks in embedded systems.

Note

This information was originally published during my time as a vulnerability researcher at BugProve, whose website is no longer active. To preserve and share the research, I’m republishing a brief overview here. The original write-ups, including technical details and disclosures, have been archived and are available in the Wayback Machine. I believe continued access to these reports contributes to safer systems and better awareness within the community.