Asset Description: Zyxel NAS (Network Attached Storage) is a centralized file storage device allowing multiple users to access data over a network. This vulnerability specifically affects Zyxel NAS326 and NAS542 models with firmware versions prior to V5.21(AAZF.17)C0. Note that these are both End-of-Life (EOL) products, but a patch is still available from the vendor.
Vulnerability Impact: If successfully exploited, attackers could gain full control over the affected NAS devices with root privileges, allowing them to execute malicious code, steal sensitive data, install malware, and use the compromised device as a pivot point for further network attacks.
Patch Availability: Zyxel has released patches for the affected NAS326 and NAS542 models, despite these devices having reached End-of-Life (EoL) status in December 2023. It’s recommended for users to update to firmware version V5.21(AAZF.17)C0 or later
Censys Perspective: As of June 27, 2024, Censys observed 1,194 exposed Zyxel devices running NAS326 or NAS542. It’s unclear how many of these are patched vs. vulnerable. These are concentrated primarily in Europe – particularly in Italy (197 hosts), Russia (166), Hungary (149) and Germany (144).
Map of Censys-visible Zyxel NAS326 and NAS542 Devices as of June 27, 2024
Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing Zyxel NAS326 and NAS542 instances. Note that we do not have visibility into firmware versions.
Censys Search query: services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542”})
Censys ASM query: host.services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542″}) or web_entity.instances.software: (vendor:”Zyxel” and product:{“NAS326”, “NAS542”})
