Multiple ZyXEL NAS devices are vulnerable to pre-authentication command injection using the web administration interface - CVE-2020-9054 Executed commands may leverage built-in capabilities to execute commands with root privileges.https://www.kb.cert.org/vuls/id/498544/
-
-
Here's the code from a vulnerable USG20-VPN device. It shouldn't take too much squinting to see where the problem is here.
pic.twitter.com/4LVM7dEDgs
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
"Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature." - fantastic

-
I've tried to determine how one "cautiously" updates firmware, but I couldn't really come up with better wording. So yeah, maybe don't do it over the WiFi at your local coffee shop?
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.