Overview
Zyxel NAS devices running firmware version 5.21 contain a critical pre-authentication command injection vulnerability in the weblogin.cgi script. The vulnerability exists due to improper sanitization of the username parameter, allowing unauthenticated remote attackers to execute arbitrary code with root privileges by sending specially crafted HTTP requests. The vulnerability was disclosed on March 4, 2020. CISA has identified CVE-2020-9054 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The vulnerability exists in the weblogin.cgi web interface of Zyxel NAS devices. The application fails to properly validate and sanitize the username parameter before passing it to shell commands. An attacker can inject arbitrary shell metacharacters and commands into the username field of HTTP login requests, causing the server to execute malicious commands with root privileges. No authentication is required to exploit this vulnerability, as the injection occurs during the login process itself.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-20 (Improper Input Validation) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands with root privileges on the Zyxel NAS device. This enables complete compromise of the device, including: unauthorized access to stored data, modification or deletion of files, installation of malware or backdoors, use of the device as a launching point for attacks on other systems, denial of service, and potential lateral movement within connected networks. Given the nature of NAS devices as data storage repositories, this vulnerability poses a severe risk to data confidentiality, integrity, and availability.
Mitigation and workarounds
1. Visit the Zyxel support website and locate your specific NAS model 2. Download the latest available firmware version (5.21(AAZF.5) or newer) 3. Access the device's web interface using an out-of-band connection if possible 4. Navigate to System Settings > Firmware Upgrade 5. Upload and install the patched firmware 6. Allow the device to reboot and verify the upgrade was successful 7. Verify the firmware version in System Information The following versions include the necessary fixes: Firmware version 5.21(AAZF.5) and later, Various patched versions depending on specific NAS model.
As temporary workarounds: restrict network access to the nas device's web management interface (port 80/443) using firewall rules. only allow access from trusted ip addresses or subnets.; disable the web management interface entirely if not required, and use alternative access methods (ssh, serial console, or out-of-band management).; isolate the nas device on a segregated network segment with restricted access from untrusted systems., and implement rate limiting and authentication bypass protections at the network perimeter to detect and block exploitation attempts..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
