CVE-2020-9054
Summary
| CVE | CVE-2020-9054 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-04 20:15:00 UTC |
| Updated | 2020-03-06 17:58:00 UTC |
| Description | Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 |
Risk And Classification
EPSS: 0.943120000 probability, percentile 0.999480000 (date 2026-04-01)
CISA KEV: Listed on 2022-03-25; due 2022-04-15; ransomware use Unknown
Problem Types: CWE-78
CISA Known Exploited Vulnerability
| Vendor | Zyxel |
|---|---|
| Product | Multiple Network-Attached Storage (NAS) Devices |
| Name | Zyxel Multiple NAS Devices OS Command Injection Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2020-9054 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Zyxel | Atp100 | - | All | All | All |
| Hardware | Zyxel | Atp100 | - | All | All | All |
| Operating System | Zyxel | Atp100 Firmware | All | All | All | All |
| Operating System | Zyxel | Atp100 Firmware | All | All | All | All |
| Hardware | Zyxel | Atp200 | - | All | All | All |
| Hardware | Zyxel | Atp200 | - | All | All | All |
| Operating System | Zyxel | Atp200 Firmware | All | All | All | All |
| Operating System | Zyxel | Atp200 Firmware | All | All | All | All |
| Hardware | Zyxel | Atp500 | - | All | All | All |
| Hardware | Zyxel | Atp500 | - | All | All | All |
| Operating System | Zyxel | Atp500 Firmware | All | All | All | All |
| Operating System | Zyxel | Atp500 Firmware | All | All | All | All |
| Hardware | Zyxel | Atp800 | - | All | All | All |
| Hardware | Zyxel | Atp800 | - | All | All | All |
| Operating System | Zyxel | Atp800 Firmware | All | All | All | All |
| Operating System | Zyxel | Atp800 Firmware | All | All | All | All |
| Hardware | Zyxel | Nas326 | - | All | All | All |
| Hardware | Zyxel | Nas326 | - | All | All | All |
| Operating System | Zyxel | Nas326 Firmware | All | All | All | All |
| Operating System | Zyxel | Nas326 Firmware | All | All | All | All |
| Hardware | Zyxel | Nas520 | - | All | All | All |
| Hardware | Zyxel | Nas520 | - | All | All | All |
| Operating System | Zyxel | Nas520 Firmware | All | All | All | All |
| Operating System | Zyxel | Nas520 Firmware | All | All | All | All |
| Hardware | Zyxel | Nas540 | - | All | All | All |
| Hardware | Zyxel | Nas540 | - | All | All | All |
| Operating System | Zyxel | Nas540 Firmware | All | All | All | All |
| Operating System | Zyxel | Nas540 Firmware | All | All | All | All |
| Hardware | Zyxel | Nas542 | - | All | All | All |
| Hardware | Zyxel | Nas542 | - | All | All | All |
| Operating System | Zyxel | Nas542 Firmware | All | All | All | All |
| Operating System | Zyxel | Nas542 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg110 | - | All | All | All |
| Hardware | Zyxel | Usg110 | - | All | All | All |
| Hardware | Zyxel | Usg1100 | - | All | All | All |
| Hardware | Zyxel | Usg1100 | - | All | All | All |
| Operating System | Zyxel | Usg1100 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg1100 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg110 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg110 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg1900 | - | All | All | All |
| Hardware | Zyxel | Usg1900 | - | All | All | All |
| Operating System | Zyxel | Usg1900 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg1900 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg20-vpn | - | All | All | All |
| Hardware | Zyxel | Usg20-vpn | - | All | All | All |
| Operating System | Zyxel | Usg20-vpn Firmware | All | All | All | All |
| Operating System | Zyxel | Usg20-vpn Firmware | All | All | All | All |
| Hardware | Zyxel | Usg20w-vpn | - | All | All | All |
| Hardware | Zyxel | Usg20w-vpn | - | All | All | All |
| Operating System | Zyxel | Usg20w-vpn Firmware | All | All | All | All |
| Operating System | Zyxel | Usg20w-vpn Firmware | All | All | All | All |
| Hardware | Zyxel | Usg210 | - | All | All | All |
| Hardware | Zyxel | Usg210 | - | All | All | All |
| Operating System | Zyxel | Usg210 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg210 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg2200 | - | All | All | All |
| Hardware | Zyxel | Usg2200 | - | All | All | All |
| Operating System | Zyxel | Usg2200 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg2200 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg310 | - | All | All | All |
| Hardware | Zyxel | Usg310 | - | All | All | All |
| Operating System | Zyxel | Usg310 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg310 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg40 | - | All | All | All |
| Hardware | Zyxel | Usg40 | - | All | All | All |
| Hardware | Zyxel | Usg40w | - | All | All | All |
| Hardware | Zyxel | Usg40w | - | All | All | All |
| Operating System | Zyxel | Usg40w Firmware | All | All | All | All |
| Operating System | Zyxel | Usg40w Firmware | All | All | All | All |
| Operating System | Zyxel | Usg40 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg40 Firmware | All | All | All | All |
| Hardware | Zyxel | Usg60 | - | All | All | All |
| Hardware | Zyxel | Usg60 | - | All | All | All |
| Hardware | Zyxel | Usg60w | - | All | All | All |
| Hardware | Zyxel | Usg60w | - | All | All | All |
| Operating System | Zyxel | Usg60w Firmware | All | All | All | All |
| Operating System | Zyxel | Usg60w Firmware | All | All | All | All |
| Operating System | Zyxel | Usg60 Firmware | All | All | All | All |
| Operating System | Zyxel | Usg60 Firmware | All | All | All | All |
| Hardware | Zyxel | Vpn100 | - | All | All | All |
| Hardware | Zyxel | Vpn100 | - | All | All | All |
| Hardware | Zyxel | Vpn1000 | - | All | All | All |
| Hardware | Zyxel | Vpn1000 | - | All | All | All |
| Operating System | Zyxel | Vpn1000 Firmware | All | All | All | All |
| Operating System | Zyxel | Vpn1000 Firmware | All | All | All | All |
| Operating System | Zyxel | Vpn100 Firmware | All | All | All | All |
| Operating System | Zyxel | Vpn100 Firmware | All | All | All | All |
| Hardware | Zyxel | Vpn300 | - | All | All | All |
| Hardware | Zyxel | Vpn300 | - | All | All | All |
| Operating System | Zyxel | Vpn300 Firmware | All | All | All | All |
| Operating System | Zyxel | Vpn300 Firmware | All | All | All | All |
| Hardware | Zyxel | Vpn50 | - | All | All | All |
| Hardware | Zyxel | Vpn50 | - | All | All | All |
| Operating System | Zyxel | Vpn50 Firmware | All | All | All | All |
| Operating System | Zyxel | Vpn50 Firmware | All | All | All | All |
| Hardware | Zyxel | Zywall110 | - | All | All | All |
| Hardware | Zyxel | Zywall110 | - | All | All | All |
| Hardware | Zyxel | Zywall1100 | - | All | All | All |
| Hardware | Zyxel | Zywall1100 | - | All | All | All |
| Operating System | Zyxel | Zywall1100 Firmware | All | All | All | All |
| Operating System | Zyxel | Zywall1100 Firmware | All | All | All | All |
| Operating System | Zyxel | Zywall110 Firmware | All | All | All | All |
| Operating System | Zyxel | Zywall110 Firmware | All | All | All | All |
| Hardware | Zyxel | Zywall310 | - | All | All | All |
| Hardware | Zyxel | Zywall310 | - | All | All | All |
| Operating System | Zyxel | Zywall310 Firmware | All | All | All | All |
| Operating System | Zyxel | Zywall310 Firmware | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| kb.cert.org/artifacts/cve-2020-9054.html | MISC | kb.cert.org | Third Party Advisory, US Government Resource |
| Zyxel Fixes 0day in Network Storage Devices — Krebs on Security | MISC | krebsonsecurity.com | Exploit, Third Party Advisory |
| Zyxel security advisory for the remote code execution vulnerability of NAS and firewall products | Zyxel | CONFIRM | www.zyxel.com | Vendor Advisory |
| CWE - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (4.9) | MISC | cwe.mitre.org | Third Party Advisory |
| VU#498544 - ZyXEL pre-authentication command injection in weblogin.cgi | CERT-VN | kb.cert.org | Third Party Advisory, US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability.
Legacy QID Mappings
- 731233 Zyxel Network Attached Storage (NAS) and Firewall Remote Code Execution (RCE) Vulnerability