![]() As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. This program fails to properly sanitize the username parameter that is passed to it. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. ![]() Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Shell Metacharacter Injection in the package installer on Zyxel NAS 326 version 5.21 and below allows an authenticated attacker to execute arbitrary code via multiple different requests.ĥ4 Atp100, Atp100 Firmware, Atp200 and 51 more A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet.Ĩ Nas326, Nas326 Firmware, Nas520 and 5 moreĪ backdoor in certain Zyxel products allows remote TELNET access via a CGI script. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |