CVE-2023-4474 - Vulnerability Details - OpenCVE

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation PoC

Automatable Yes

Technical Impact Total

Vendors	Products
Zyxel	Nas326 Nas326 Firmware Nas542 Nas542 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products

History

Thu, 13 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:zyxel:nas326_firmware:5.21\(aazf.14\)c0:::::::* cpe:2.3:o:zyxel:nas542_firmware:5.21\(abag.11\)c0:::::::*
Metrics		ssvc `{'options': {'Automatable': 'Yes', 'Exploitation': 'PoC', 'Technical Impact': 'Total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Zyxel

Published: 2023-11-30T01:45:29.920Z

Updated: 2025-02-13T17:13:42.559Z

Reserved: 2023-08-22T06:51:34.440Z

Link: CVE-2023-4474

Vulnrichment

Updated: 2024-08-02T07:31:05.490Z

NVD

Status : Modified

Published: 2023-11-30T02:15:43.553

Modified: 2024-11-21T08:35:14.640

Link: CVE-2023-4474

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4474", "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "state": "PUBLISHED", "assignerShortName": "Zyxel", "dateReserved": "2023-08-22T06:51:34.440Z", "datePublished": "2023-11-30T01:45:29.920Z", "dateUpdated": "2025-02-13T17:13:42.559Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "NAS326 firmware", "vendor": "Zyxel", "versions": [{"status": "affected", "version": "V5.21(AAZF.14)C0"}]}, {"defaultStatus": "unaffected", "product": "NAS542 firmware", "vendor": "Zyxel", "versions": [{"status": "affected", "version": "V5.21(ABAG.11)C0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device."}], "value": "The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "shortName": "Zyxel", "dateUpdated": "2023-12-06T01:37:39.050Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products"}, {"url": "https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4474", "role": "CISA Coordinator", "options": [{"Exploitation": "PoC"}, {"Automatable": "Yes"}, {"Technical Impact": "Total"}], "version": "2.0.3", "timestamp": "2024-05-03T04:00:16.790117Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:zyxel:nas326_firmware:5.21\\(aazf.14\\)c0:*:*:*:*:*:*:*"], "vendor": "zyxel", "product": "nas326_firmware", "versions": [{"status": "affected", "version": "5.21\\(aazf.14\\)c0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:zyxel:nas542_firmware:5.21\\(abag.11\\)c0:*:*:*:*:*:*:*"], "vendor": "zyxel", "product": "nas542_firmware", "versions": [{"status": "affected", "version": "5.21\\(abag.11\\)c0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:27:14.751Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:05.490Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products"}, {"url": "https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:05.490Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4474", "role": "CISA Coordinator", "options": [{"Exploitation": "PoC"}, {"Automatable": "Yes"}, {"Technical Impact": "Total"}], "version": "2.0.3", "timestamp": "2024-05-03T04:00:16.790117Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:zyxel:nas326_firmware:5.21\\(aazf.14\\)c0:*:*:*:*:*:*:*"], "vendor": "zyxel", "product": "nas326_firmware", "versions": [{"status": "affected", "version": "5.21\\(aazf.14\\)c0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:zyxel:nas542_firmware:5.21\\(abag.11\\)c0:*:*:*:*:*:*:*"], "vendor": "zyxel", "product": "nas542_firmware", "versions": [{"status": "affected", "version": "5.21\\(abag.11\\)c0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-03T13:14:19.981Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zyxel", "product": "NAS326 firmware", "versions": [{"status": "affected", "version": "V5.21(AAZF.14)C0"}], "defaultStatus": "unaffected"}, {"vendor": "Zyxel", "product": "NAS542 firmware", "versions": [{"status": "affected", "version": "V5.21(ABAG.11)C0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products", "tags": ["vendor-advisory"]}, {"url": "https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.", "supportingMedia": [{"type": "text/html", "value": "The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "shortName": "Zyxel", "dateUpdated": "2023-12-06T01:37:39.050Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4474", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:13:42.559Z", "dateReserved": "2023-08-22T06:51:34.440Z", "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f", "datePublished": "2023-11-30T01:45:29.920Z", "assignerShortName": "Zyxel"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "897157F4-9F3E-4F03-91DF-6223C1BAA451", "versionEndIncluding": "5.21\\(aazf.14\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*", "matchCriteriaId": "E0A01B19-4A91-4FBC-8447-2E854346DAC5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A0D05F3-0FBD-43D0-8041-2AAF822B83C5", "versionEndIncluding": "5.21\\(abag.11\\)c0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*", "matchCriteriaId": "31C4DD0F-28D0-4BF7-897B-5EEC32AA7277", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales en el servidor WSGI del firmware Zyxel NAS326 versi\u00f3n V5.21(AAZF.14)C0 y NAS542 versi\u00f3n V5.21(ABAG.11)C0 podr\u00eda permitir que un atacante no autenticado ejecute alg\u00fan sistema operativo (OS ) comandos enviando una URL manipulada a un dispositivo vulnerable."}], "id": "CVE-2023-4474", "lastModified": "2024-11-21T08:35:14.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@zyxel.com.tw", "type": "Secondary"}]}, "published": "2023-11-30T02:15:43.553", "references": [{"source": "security@zyxel.com.tw", "url": "https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/"}, {"source": "security@zyxel.com.tw", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products"}], "sourceIdentifier": "security@zyxel.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@zyxel.com.tw", "type": "Secondary"}]}