"Zyxel Patches Critical Vulnerability in NAS Firmware"

Networking solutions provider Zyxel has recently released patches for a critical-severity vulnerability impacting the firmware of multiple network attached storage (NAS) device models.  The security defect is tracked as CVE-2022-34747 and carries a CVSS score of 9.8/10.  The security defect is publicly documented as a format string vulnerability impacting Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0.  An attacker could exploit the vulnerability by sending specially crafted UDP packets to the affected products.  According to Zyxel, successfully exploiting the bug could allow an attacker to execute arbitrary code on the impacted device.  Zyxel stated that its investigation had identified only three NAS models that are affected and which are within their support lifetime.  The vendor silently patched the vulnerability in mid-August with firmware updates for NAS326, NAS540, and NAS542 device models but delayed publication of the flaw details until this week.
 

SecurityWeek reports: "Zyxel Patches Critical Vulnerability in NAS Firmware"