Skip to main content

Nas326 Firmware CVE-2022-34747

CRITICAL
Use of Externally-Controlled Format String (CWE-134)
2022-09-06 security@zyxel.com.tw
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 06, 2022 - 02:15 nvd
CRITICAL 9.8

DescriptionNVD

A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet.

AnalysisAI

A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-134. A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. Affected products include: Zyxel Nas326 Firmware.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-29974 CRITICAL POC
9.8 Jun 04

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NA

CVE-2024-29973 CRITICAL POC
9.8 Jun 04

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmwar

CVE-2024-29972 CRITICAL POC
9.8 Jun 04

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326

CVE-2020-9054 CRITICAL POC
9.8 Mar 04

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command

CVE-2019-10633 HIGH POC
8.8 Apr 09

An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a re

CVE-2019-10631 HIGH POC
8.8 Apr 09

Shell Metacharacter Injection in the package installer on Zyxel NAS 326 version 5.21 and below allows an authenticated a

CVE-2019-10630 HIGH POC
8.8 Apr 09

A plaintext password vulnerability in the Zyxel NAS 326 through 5.21 allows an elevated privileged user to get the admin

CVE-2024-29975 MEDIUM POC
6.7 Jun 04

** UNSUPPORTED WHEN ASSIGNED ** The improper privilege management vulnerability in the SUID executable binary in Zyxel N

CVE-2024-29976 MEDIUM POC
6.5 Jun 04

** UNSUPPORTED WHEN ASSIGNED ** The improper privilege management vulnerability in the command “show_allsessions” in Zyx

CVE-2019-10632 MEDIUM POC
6.5 Apr 09

A directory traversal vulnerability in the file browser component on the Zyxel NAS 326 version 5.21 and below allows a l

CVE-2024-6342 CRITICAL
9.8 Sep 10

**UNSUPPORTED WHEN ASSIGNED** A command injection vulnerability in the export-cgi program of Zyxel NAS326 firmware versi

CVE-2023-4474 CRITICAL
9.8 Nov 30

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0

Share

CVE-2022-34747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy