Share This:

Advisory Overview

Several ZyXEL NAS devices are vulnerable to Remote Code Execution (RCE). The vulnerability could potentially allow an attacker to execute remote commands as root. A patch has been released, but many devices are at an end of life stage and do not have an update. SKOUT recommends updating firmware immediately on all supported devices and hardening (or replacing) end of life devices.

Technical detail and additional information

What is the threat?

A Remote Code Execution (RCE) vulnerability exists in the “weblogin.cgi” executable that is used in a wide variety of ZyXEL NAS and firewall products. Specifically, the program fails to properly sanitize the “username” parameter that it is passed. If this parameter contains specific characters, a command injection may be allowed with the privileges that are given to the web server that runs on the vulnerable ZyXEL device.

Why is this noteworthy?

This vulnerability exists in a number of ZyXEL devices (a full list of which is included in the “References” below). This exploit is simple but highly reliable; and while the web server that is exploited does not run as the root user, numerous ZyXEL devices include a “setuid” utility which can run any command with root privileges. Due to the simplicity of the exploit, a malicious actor can readily locate thousands of vulnerable devices with pre-provided links and easily attempt the exploit. Additionally, even without direct connectivity to the vulnerable device a malicious actor can compromise a ZyXEL device. A user simply viewing a website that has been compromised can result in this exploit being performed on any ZyXEL device reachable from the client system.

What is the exposure or risk?

When exploited, this vulnerability allows a malicious actor to execute any number of remote commands or arbitrary code, potentially at root privilege with the “setuid” command. Also of note is recent activity suggesting that ransomware groups have been actively working to fold this exploit into notorious malware “Emotet”, meaning this exploit could be leveraged to propagate ransomware attacks.

What are the recommendations?

ZyXEL has patched the vulnerability in several of the affected devices and recommends downloading these firmware updates available as soon as possible. However, some of the devices affected by the vulnerability have been identified by ZyXEL as end of life and are no longer supported and thus will not have this update available. In either case you can also harden your devices against exploitation with the following security steps:

  • Block access to the web interface (80/tcp and 443/tcp) on any vulnerable ZyXEL device.
  • Restrict access to vulnerable ZyXEL devices by not exposing them to the internet directly.

Download the hotfix here:

Affected model Standard availability
NAS326 March 2020. Firmware V5.21(AAZF.7)C0
NAS520 March 2020. Firmware V5.21(AASZ.3)C0
NAS540 March 2020. Firmware V5.21(AATB.4)C0
NAS542 March 2020. Firmware V5.21(ABAG.4)C0
ATP100 March 2020. Firmware V4.35(ABPS.3)C0
ATP200 March 2020. Firmware V4.35(ABFW.3)C0
ATP500 March 2020. Firmware V4.35(ABFU.3)C0
ATP800 March 2020. Firmware V4.35(ABIQ.3)C0
USG20-VPN March 2020. Firmware V4.35(ABAQ.3)C0
USG20W-VPN March 2020. Firmware V4.35(ABAR.3)C0
USG40 March 2020. Firmware V4.35(AALA.3)C0
USG40W March 2020. Firmware V4.35(AALB.3)C0
USG60 March 2020. Firmware V4.35(AAKY.3)C0
USG60W March 2020. Firmware V4.35(AAKZ.3)C0
USG110 March 2020. Firmware V4.35(AAPH.3)C0
USG210 March 2020. Firmware V4.35(AAPI.3)C0
USG310 March 2020. Firmware V4.35(AAPJ.3)C0
USG1100 March 2020. Firmware V4.35(AAPK.3)C0
USG1900 March 2020. Firmware V4.35(AAPL.3)C0
USG2200 March 2020. Firmware V4.35(ABAE.3)C0
VPN50 March 2020. Firmware V4.35(ABHL.3)C0
VPN100 March 2020. Firmware V4.35(ABFV.3)C0
VPN300 March 2020. Firmware V4.35(ABFC.3)C0
VPN1000 March 2020. Firmware V4.35(ABIP.3)C0
ZyWALL110 March 2020. Firmware V4.35(AAAA.3)C0
ZyWALL310 March 2020. Firmware V4.35(AAAB.3)C0
ZyWALL1100 March 2020. Firmware V4.35(AAAC.3)C0


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Share This:
Doris Au

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

Leave a reply

Your email address will not be published. Required fields are marked *