CVE-2023-5372 HIGH

CVE-2023-5372

Vendor Zyxel

Product NAS326 firmware

Weakness CWE-78

Published January 30, 2024

Last update August 23, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

Key dates

02Disclosure timeline

January 30, 2024 CVE published

August 23, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-5372

Related vulnerabilities

Identifiers

CVE CVE-2023-5372

CWE CWE-78

CVSS 7.2 / HIGH

Affected versions

Vendor Zyxel

Product NAS326 firmware

Affected <= V5.21(AAZF.15)C0

Vendor Zyxel

Product NAS542 firmware

Affected <= V5.21(ABAG.12)C0

CVE-2023-5372

01Description

02Disclosure timeline

03References

04Related CVE