{"api_version":"1","generated_at":"2026-04-23T12:35:27+00:00","cve":"CVE-2023-27988","urls":{"html":"https://cve.report/CVE-2023-27988","api":"https://cve.report/api/cve/CVE-2023-27988.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-27988","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-27988"},"summary":{"title":"CVE-2023-27988","description":"The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely.","state":"PUBLIC","assigner":"security@zyxel.com.tw","published_at":"2023-05-30 02:15:00","updated_at":"2023-06-02 19:49:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products","name":"https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products","refsource":"CONFIRM","tags":[],"title":"Zyxel security advisory for post-authentication command injection vulnerability in NAS products | Zyxel Networks","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27988","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27988","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"27988","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"zyxel","cpe5":"nas326","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27988","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"zyxel","cpe5":"nas326_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27988","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"zyxel","cpe5":"nas540","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27988","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"zyxel","cpe5":"nas540_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27988","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"zyxel","cpe5":"nas542","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27988","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"zyxel","cpe5":"nas542_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"security@zyxel.com.tw","ID":"CVE-2023-27988","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Zyxel","product":{"product_data":[{"product_name":"NAS326 firmware","version":{"version_data":[{"version_value":"< V5.21(AAZF.13)C0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products","url":"https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products"}]},"impact":{"cvss":{"baseScore":"7.2","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"description":{"description_data":[{"lang":"eng","value":"The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely."}]}},"nvd":{"publishedDate":"2023-05-30 02:15:00","lastModifiedDate":"2023-06-02 19:49:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"5.21\\(aazf.13\\)c0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:zyxel:nas326:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:zyxel:nas540_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"5.21\\(aatb.10\\)c0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:zyxel:nas540:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"5.21\\(abag.10\\)c0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:zyxel:nas542:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":null,"notes":[]}}}