VDB

CVE-2023-5372

CVE-2023-5372 PUBLISHED CVSS 7.199999809265137 HIGH

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

EPSS 10.12% · 93.2th percentile

Risk Scores

CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score
10.12%
93.2th percentile

Affected Products

VendorProductVersions
zyxelnas542_firmware0, 0, 0
ZyxelNAS542 firmware<= V5.21(ABAG.12)C0, <= V5.21(ABAG.12)C0, <= V5.21(ABAG.12)C0
ZyxelNAS326 firmware<= V5.21(AAZF.15)C0, <= V5.21(AAZF.15)C0, *
zyxelnas326_firmware0, 0, 0
zyxelnas326_firmware0, 0, 0
zyxelnas542_firmware0, 0, 0

Exploit Intelligence

Timeline

  • Jan 30, 2024 CVE Published
  • Jan 30, 2024 PoC Published
  • Jan 31, 2024 EPSS Score
  • Feb 28, 2024 EPSS Score
  • Apr 23, 2024 EPSS Score
  • May 20, 2024 EPSS Score
  • Jun 17, 2024 EPSS Score
  • Aug 11, 2024 EPSS Score
  • Sep 7, 2024 EPSS Score
  • Oct 5, 2024 EPSS Score
  • Oct 5, 2024 Coalition ESS Score
  • Nov 21, 2024 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›