ZyXEL NAS up to 5.20 weblogin.cgi Username os command injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.4 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in ZyXEL NAS up to 5.20. This vulnerability affects unknown code of the file weblogin.cgi. Performing a manipulation of the argument Username as part of GET Request results in os command injection. This vulnerability is cataloged as CVE-2020-9054. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability, which was classified as critical, was found in ZyXEL NAS up to 5.20. This affects an unknown functionality of the file weblogin.cgi. The manipulation of the argument username as part of a GET Request leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
The weakness was shared 03/04/2020 as confirmed advisory (CERT.org). It is possible to read the advisory at kb.cert.org. This vulnerability is uniquely identified as CVE-2020-9054 since 02/18/2020. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a exploit are known. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.
It is declared as attacked. The CISA Known Exploited Vulnerabilities Catalog lists this issue since 03/25/2022 with a due date of 04/15/2022:
Apply updates per vendor instructions.Upgrading to version 5.21 eliminates this vulnerability.
Be aware that VulDB is the high quality source for vulnerability data.
Product
Vendor
Name
Version
License
Website
- Vendor: https://www.zyxel.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.4
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Os command injectionCWE: CWE-78 / CWE-77 / CWE-74
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Attacked
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
KEV Notice: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: NAS 5.21
Timeline
02/18/2020 🔍03/04/2020 🔍
03/05/2020 🔍
02/07/2025 🔍
Sources
Vendor: zyxel.comAdvisory: kb.cert.org
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2020-9054 (🔍)
GCVE (CVE): GCVE-0-2020-9054
GCVE (VulDB): GCVE-100-150879
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 03/05/2020 08:29Updated: 02/07/2025 14:28
Changes: 03/05/2020 08:29 (43), 03/05/2020 08:34 (17), 04/24/2024 13:31 (28), 09/19/2024 18:13 (1), 02/07/2025 14:28 (1)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.