The Software Engineering Institute CERT Coordination Center advised that several ZyXEL network-attached storage devices contain a pre-authentication command injection vulnerability.

CVE-2020-9054,
if exploited, could allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable device. The problem is it uses the weblogin.cgi
CGI executable for authentication and that program fails to properly sanitize
the username parameter it obtains.

“By sending
a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a
remote, unauthenticated attacker may be able to execute arbitrary code on the
device. This may happen by directly connecting to a device if it is directly
exposed to an attacker,” the advisory stated.

The problem
can be mitigated through firmware updates, which are now available
for ZyXEL models NAS326, NAS520, NAS540, and NAS542 devices.

Unfortunately,
the following devices are also vulnerable but cannot be updated as they are no
longer supported: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S,
NSA325 and NSA325v2.