CVE-2023-4474 CRITICAL

CVE-2023-4474

Vendor Zyxel

Product NAS326 firmware

Weakness CWE-78

Published November 30, 2023

Last update December 16, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

Key dates

02Disclosure timeline

November 30, 2023 CVE published

December 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-4474

Related vulnerabilities

Identifiers

CVE CVE-2023-4474

CWE CWE-78

CVSS 9.8 / CRITICAL

Affected versions

Vendor Zyxel

Product NAS326 firmware

Affected V5.21(AAZF.14)C0

Vendor Zyxel

Product NAS542 firmware

Affected V5.21(ABAG.11)C0

CVE-2023-4474

01Description

02Disclosure timeline

03References

04Related CVE