Zyxel firewalls are currently (as of May 2022) under a cyberattack after a critical security flaw was disclosed last week, allowing unauthenticated, remote arbitrary code execution. The flaw, CVE-2020-9054, exists in the XML parser of Zyxel’s network-attached storage (NAS) products and is being exploited in the wild to take complete control of affected devices.
Zyxel NAS devices are vulnerable to a number of exploits, and it’s critical that you patch them as soon as possible. Make sure you update your Zyxel NAS devices to the latest firmware version to protect yourself from this and other exploits.
Zyxel’s networking products are used by small businesses, enterprises, and service providers around the world. The company has over 100 million devices deployed in more than 200 countries.
Zyxel’s ATP, VPN, and USG FLEX series business firewalls are affected. Shadowserver identified nearly 21,000 potentially vulnerable devices hanging around as of this Sunday, prompting US National Security Agency cyber director Rob Joyce to issue a call-to-patch tweet.
The vulnerability may be triggered via a device’s HTTP interface to launch a reverse shell, allowing code execution as the “nobody” user. The nobody user is less powerful than actual user accounts. However, an exploit could still allow a malevolent individual to “modify specific files and then execute some OS commands on a vulnerable device,” Zyxel warned.
In late December, it was discovered that several models of Zyxel NAS devices were vulnerable to a critical remote code execution flaw. The flaw, CVE-2020-9054, exists in the XML parser of these devices and allows unauthenticated, remote arbitrary code execution. That means that an attacker could take full control of your device without you even knowing.
Zyxel released a patch for this flaw on January 5, but it’s unclear how many devices have been affected by this exploit.
Zyxel recommends that all affected product users update to the latest firmware version as soon as possible. You can find instructions for updating your firmware on Zyxel’s website. Make sure you follow the instructions carefully, as a mistake could render your device inoperable.