CVE-2023-27988 HIGH

CVE-2023-27988

Vendor Zyxel

Product NAS326 firmware

Weakness CWE-78

Published May 30, 2023

Last update January 14, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely.

Key dates

02Disclosure timeline

May 30, 2023 CVE published

January 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-27988

Related vulnerabilities

04Related CVE

CVE-2025-6620 TOTOLINK CA300-PoE upgrade.so setUpgradeUboot os command injection CVE-2021-47851 Mini Mouse 9.2.0 - Remote Code Execution CVE-2026-26982 Ghostty affected by arbitrary command execution via control characters in paste and drag-and-drop operations CVE-2024-43654 Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station CVE-2025-68154 Command Injection in fsSize() on Windows