CISA Warns Critical Zyxel NAS Vulnerability is Being Actively Exploited

A critical vulnerability in Zyxel network-attached storage (NAS) devices is being exploited in attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability is tracked as CVE-2023-27992 and affects Zyxel NAS326, NAS540, and NAS542 devices running firmware version 5.21 and earlier versions. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 out of 10.

Successful exploitation of the flaw would allow a remote attacker to execute operating system commands without authentication via a specially crafted HTTP request. Zyxel released patches to fix the flaw last week, and now that the vulnerability is known to have been exploited, patching is now critical. CISA has not released details about how the vulnerability is being exploited; however, Zyxel NAS vulnerabilities can be exploited by botnets, such as the Mirai botnet, and vulnerabilities in NAS devices are targeted by ransomware groups.

CISA has issued a binding operational directive (BOD) requiring all federal agencies to ensure the flaw is patched by July 14 and has advised all organizations that use the affected devices to ensure they are updated as soon as possible to prevent exploitation. CISA says the vulnerability is still being analyzed and further information will be published soon. According to Zyxel, there are no workarounds or mitigations. System administrators should therefore update their NAS devices to the latest firmware version as soon as possible.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of