Remote code execution in multiple Zyxel storage devices

Published: 2020-02-25

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) OS Command Injection

EUVDB-ID: #VU25597

Risk: High


CVE-ID: CVE-2020-9054

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No


The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing username in the login form. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


The vendor has released a hotfix for the following models:

  • NAS326
  • NAS520
  • NAS540
  • NAS542

Vulnerable software versions

Zyxel NAS 326: 5.21

NAS520: 5.21

NAS540: 5.21

NAS542: 5.21

NSA210: All versions

NSA220: All versions

NSA220+: All versions

NSA221: All versions

NSA310: All versions

NSA310S: All versions

NSA320: All versions

NSA320S: All versions

NSA325: All versions

NSA325v2: All versions

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?