Vulnerability CVE-2020-9054 in ZyXEL NAS devices

[German]Zyxel has closed a 0-Day vulnerability in its NAS devices through a firmware update. An exploit code for the vulnerability is currently being sold on underground forums for $20,000.


I became aware of the security issue through the following tweet from Will Dormann.

On 02/24/2020 this security advisory was published for various Zyxel NAS models. Several ZyXEL network attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow a remote attacker to execute arbitrary code on a vulnerable device without logging in.

NAS devices from ZyXEL allow authentication by using the weblogin.cgi executable CGI file. However, this CGI program cannot properly handle the username parameter passed to it. If the parameter contains certain characters specified with the user name, it may allow a command injection with the privileges of the Web server running on the ZyXEL device. ermöglichen.

Although the Web server is not running as a root user, the ZyXEL devices contain a setuid utility that can be used to execute any command with root privileges. Therefore, it is likely that the exploitation of this vulnerability could lead to remote code execution with root privileges.


By sending a specially crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker could potentially execute arbitrary code on the device. This can be done by connecting to a device if the attacker has access to the device. However, there are ways to trigger such primed requests even if an attacker does not have a direct connection to a vulnerable device. For example, simply visiting a Web site can compromise any ZyXEL device that is accessible from the client system.

ZyXEL has provided firmware updates for the NAS326, NAS520, NAS540 and NAS542 devices. Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 cannot install firmware updates because these devices are no longer supported.

Care should be taken when updating the firmware on the affected devices. This is because the ZyXEL firmware upgrade process uses an insecure channel (FTP) to retrieve updates. On the other hand, the firmware files are verified only by a checksum and not by a cryptographic signature. For these reasons, any attacker who has control over DNS or IP routing can cause a malicious firmware to be installed on a ZyXEL device.

Those who cannot patch should use workarounds for protection. This problem can be mitigated by blocking (e.g. with a firewall) access to the web interface (80/tcp and 443/tcp) of a vulnerable ZyXEL device. Any device that can access the ZyXEL Web Interface should not also be able to access the Internet.

Brian Krebs has published some more information about this case in this article. For example, he reported to Zyxel that a 0-day exploit was in circulation and sold for 20,000 US $.


This entry was posted in devices, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *