Threat Signal Report

CVE-2020-9054 - Vulnerability in Zyxel Network Attached Storage (NAS) Devices


FortiGuard Labs is aware of a newly disclosed vulnerability in Zyxel network attached storage (NAS) devices in an advisory published today by CERT/CC. Multiple Zyxel devices contain a pre authentication command injection vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on the device. The vulnerability was reported by security journalist Brian Krebs (Krebs on Security) who learned about the flaw from a researcher who had obtained the exploit code from a reseller on the underground forums. This vulnerability has been assigned CVE-2020-9054.

What are the details of this vulnerability exactly?

The vulnerability is in (weblogin.cgi), which is a cgi script used by Zyxel NAS devices to perform authentication. The script fails to properly sanitize the username parameter. if the parameter contains a specific subset of characters it can allow for command injection with elevated privileges on the webserver. Although the webserver does not run at root; Zyxel devices contain a setuid utility that can be leveraged to run commands with root privileges. Remote code execution via OS command injection can occur due to the program missing authentication. By sending a specially crafted HTTP POST or GET request, an attacker can leverage this technique to perform unauthenticated arbitrary code execution on the device.

What is the severity of this vulnerability?

Due to an attacker who can perform code execution with root privileges without authentication, this vulnerability is deemed HIGH. CERT/CC has assigned this vulnerability a CVSS base score of 10.

What products are affected?

Zyxel products only, specifically model numbers NAS326/NAS520/NAS540/NAS542. Others not on this list are no longer supported.

Is proof of concept code publicly available?

According to CERT/CC exploit code is publicly available. CERT/CC has also created a POC for companies to investigate signature feasibility.

Is there a vendor patch or firmware update available?

Yes. Zyxel has published descriptions of devices affected along with firmware updates available and they are:

Models Firmware versions available

NAS326 March 2020. Firmware V5.21(AAZF.7)C0

NAS520 March 2020. Firmware V5.21(AASZ.3)C0

NAS540 March 2020. Firmware V5.21(AATB.4)C0

NAS542 March 2020. Firmware V5.21(ABAG.4)C0

According to the vendor page - products not listed here or products that have reached end of life are no longer supported.

Any other recommendations and/or suggested mitigation?

For products that are no longer supported it is suggested that devices affected by CVE-2020-9054 are not internet facing and or placed behind a firewall to prevent unauthenticated access. Also, FortiGuard labs recommends that system administrators perform an audit of their network to ensure that machines affected by this vulnerability and any other services that were not meant to be exposed externally, be firewalled as soon as time permits and that authentication be enabled to ensure additional mitigation from external access.

What is the status of AV/IPS coverage?

Customers running the latest definitions (15.784) are protected by the following IPS signature:


AV was deemed not feasible at this time.


ID: T1068

Tactic: Privilege Escalation

Platform: Linux, macOS, Windows

System Requirements: In the case of privilege escalation, the adversary likely already has user permissions on the target system.

Permissions Required: User

Effective Permissions: User

Data Sources: Windows Error Reporting, Process monitoring, Application logs

Version: 1.1


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.