Multiple ZyXEL NAS devices are vulnerable to pre-authentication command injection using the web administration interface - CVE-2020-9054 Executed commands may leverage built-in capabilities to execute commands with root privileges.https://www.kb.cert.org/vuls/id/498544/
-
-
Note that ZyXEL has expanded the list of affected devices beyond just NAS devices. Device families that have firmware updates to address CVE-2020-9054 now include: NAS, NSA, ATP, USG, USG-VPN, VPN, and ZyWall.https://www.kb.cert.org/vuls/id/498544/
Show this thread -
Here's the code from a vulnerable USG20-VPN device. It shouldn't take too much squinting to see where the problem is here.
pic.twitter.com/4LVM7dEDgs
Show this thread
End of conversation
New conversation -
-
-
I really like the bit where you did not play stupid games and just called this what it is. 10/10
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
-
cc
@samykamkar did you need a NAT busting exploit still? This looks like a very wide spread issue.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.