Main
Vulnerability Database
Exploits
ID:9374 - Exploit for OS Command Injection in ZyXEL Communications Corp. products - CVE-2020-9054
ID:9374 - Exploit for OS Command Injection in ZyXEL Communications Corp. products - CVE-2020-9054
Published: October 9, 2023
Vulnerability identifier: #VU25597
Vulnerability risk: High
CVE-ID: CVE-2020-9054
CWE-ID: CWE-78
Exploitation vector: Remote access
Vulnerable software:
Zyxel NAS 326
NAS520
NAS540
NAS542
NSA210
NSA220
NSA220+
NSA221
NSA310
NSA310S
NSA320
NSA320S
NSA325
NSA325v2
Zyxel NAS 326
NAS520
NAS540
NAS542
NSA210
NSA220
NSA220+
NSA221
NSA310
NSA310S
NSA320
NSA320S
NSA325
NSA325v2
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing username in the login form. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
The vendor has released a hotfix for the following models:
- NAS326
- NAS520
- NAS540
- NAS542