CVE-2020-9054

Known Exploited Public Exploit
ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi

Description

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

Remediation

Solution:

  • ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices.

Workaround:

  • Block access to the ZyXEL device web interface: This issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet. Restrict access to vulnerable ZyXEL devices: Direct exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 94.07% Top 5%
KEV Since 
Vendor Advisory zyxel.com
Affected: ZyXEL NAS326
Affected: ZyXEL NAS520
Affected: ZyXEL NAS540
Affected: ZyXEL NAS542
Affected: ZyXEL NSA210
Affected: ZyXEL NSA220
Affected: ZyXEL NSA220+
Affected: ZyXEL NSA221
Affected: ZyXEL NSA310
Affected: ZyXEL NSA320
Affected: ZyXEL NSA320S
Affected: ZyXEL NSA325
Affected: ZyXEL NSA325v2
Published at:
Updated at:

References

Link Tags
https://cwe.mitre.org/data/definitions/78.html third party advisory
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml vendor advisory
https://kb.cert.org/vuls/id/498544/ third party advisory us government resource
https://kb.cert.org/artifacts/cve-2020-9054.html third party advisory us government resource
https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/ third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2020-9054?
CVE-2020-9054 has been scored as a critical severity vulnerability.
How to fix CVE-2020-9054?
To fix CVE-2020-9054: ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices.
Is CVE-2020-9054 being actively exploited in the wild?
It is confirmed that CVE-2020-9054 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~94% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-9054?
CVE-2020-9054 affects ZyXEL NAS326, ZyXEL NAS520, ZyXEL NAS540, ZyXEL NAS542, ZyXEL NSA210, ZyXEL NSA220, ZyXEL NSA220+, ZyXEL NSA221, ZyXEL NSA310, ZyXEL NSA320, ZyXEL NSA320S, ZyXEL NSA325, ZyXEL NSA325v2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.