⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2020-9054

CWE-78OS Command Injection12 documents9 sources
Severity
9.8CRITICAL
EPSS
94.3%
top 0.05%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
40
Zyxel Atp100 FirmwareZyxel Atp200 FirmwareZyxel Atp500 Firmware+37 more
Timeline
PublishedMar 4
KEV addedMar 25
KEV dueApr 15
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages40 packages

NVDzyxel/nas326_firmware< 5.21\(aazf.7\)c0
NVDzyxel/nas520_firmware< 5.21\(aasz.3\)c0
NVDzyxel/nas540_firmware< 5.21\(aatb.4\)c0
NVDzyxel/nas542_firmware< 5.21\(abag.4\)c0
NVDzyxel/usg40_firmware4.354.35\(aala.3\)c0

🔴Vulnerability Details

3
GHSA
GHSA-w6h5-rjp3-hxvc: Multiple ZyXEL network-attached storage (NAS) devices running firmware version 52022-05-24
CVEList
ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi2020-03-04
VulnCheck
Zyxel Multiple NAS Devices OS Command Injection Vulnerability2020

💥Exploits & PoCs

1
Nuclei
Zyxel NAS Firmware 5.21- Remote Code Execution

🔍Detection Rules

2
Suricata
ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M22020-03-12
Suricata
ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M12020-03-12

📋Vendor Advisories

1
CISA
Zyxel Multiple NAS Devices OS Command Injection Vulnerability2022-03-25

🕵️Threat Intelligence

2
Unit42
New Mirai Variant Targets Zyxel Network-Attached Storage Devices2020-03-19
Unit42
New Mirai Variant Targets Zyxel Network-Attached Storage Devices2020-03-19
CVE-2020-9054 (CRITICAL CVSS 9.8) | Multiple ZyXEL network-attached sto | cvebase.io