A vulnerability classified as problematic was found in ZyXEL NAS 326 up to 5.21. This vulnerability affects some unknown functionality. The manipulation with an unknown input leads to a credentials management vulnerability (Password). The CWE definition for the vulnerability is CWE-255. As an impact it is known to affect confidentiality. CVE summarizes:

A plaintext password vulnerability in the Zyxel NAS 326 through 5.21 allows an elevated privileged user to get the admin password of the device.

The bug was discovered 04/04/2019. The weakness was released 04/09/2019. This vulnerability was named CVE-2019-10630 since 03/29/2019. The attack can be initiated remotely. A single authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 08/27/2023). The MITRE ATT&CK project declares the attack technique as T1552.

The vulnerability was handled as a non-public zero-day exploit for at least 5 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at VDB-133160, VDB-133159, VDB-133158 and VDB-133157. Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• ZyXEL

Name

• NAS 326

Version

• 5.0
• 5.1
• 5.2
• 5.3
• 5.4
• 5.5
• 5.6
• 5.7
• 5.8
• 5.9
• 5.10
• 5.11
• 5.12
• 5.13
• 5.14
• 5.15
• 5.16
• 5.17
• 5.18
• 5.19
• 5.20
• 5.21

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion