Taiwanese hardware and electronics maker ASUS has released firmware updates to patch several high-risk vulnerabilities affecting multiple router models.
The list of impacted products includes GT6, GT-AXE16000, GT-AX11000 PRO/GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, TUF-AX5400.
Out of nine security flows patched by ASUS, the most severe are tracked as CVE-2022-26376, CVE-2018-1160, and CVE-2022-46871.
The first two flaws are described as out-of-bounds write issues, while the third is a buffer overflow vulnerability. All three can lead to remote code execution.
“Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,” ASUS advised.
Another Taiwanese vendor, Zyxel, has also issued security updates to address a pre-authentication command injection vulnerability in some of its network-attached storage (NAS) devices.
Tracked as CVE-2023-27992, the flaw exists due to improper input validation and can be used by a remote unauthenticated hacker attacker to execute arbitrary OS commands on the target system.
The vulnerability impacts the following products:
-
NAS326 (V5.21(AAZF.13)C0 and earlier (patched in V5.21(AAZF.14)C0)
-
NAS540 (V5.21(AATB.10)C0 and earlier (patched in V5.21(AATB.11)C0)
-
NAS542 (V5.21(ABAG.10)C0 and earlier (patched in V5.21(ABAG.11)C0)
Last month, a new variant of the Mirai malware was observed abusing the CVE-2023-28771 flaw in Zyxel firewall appliances to compromise the devices and ensnare them in a botnet.
