CVE-2023-5372 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-5372 PUBLISHED CVSS 7.199999809265137 HIGH

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

EPSS 10.12% · 93.0th percentile

Risk Scores

CVSS v3.1

7.199999809265137

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score

10.12%

93.0th percentile

Affected Products

Vendor	Product	Versions
zyxel	nas542_firmware	0, 0, 0
Zyxel	NAS542 firmware	<= V5.21(ABAG.12)C0, <= V5.21(ABAG.12)C0, <= V5.21(ABAG.12)C0
Zyxel	NAS326 firmware	<= V5.21(AAZF.15)C0, <= V5.21(AAZF.15)C0, <= V5.21(AAZF.15)C0
zyxel	nas326_firmware	0, 0, 0
zyxel	nas326_firmware	0, 0, 0
zyxel	nas542_firmware	0, 0, 0

Timeline

Jan 30, 2024 CVE Published
Jan 30, 2024 PoC Published
Jan 31, 2024 EPSS Score
Feb 27, 2024 EPSS Score
Apr 21, 2024 EPSS Score
May 18, 2024 EPSS Score
Jul 11, 2024 EPSS Score
Aug 7, 2024 EPSS Score
Sep 3, 2024 EPSS Score
Oct 5, 2024 Coalition ESS Score
Oct 27, 2024 EPSS Score
Nov 21, 2024 CVE Updated

References

Open in Interactive Console →