InfoSecBulletin Cybersecurity for mankind
Zyxel released patches for 15 security issues affecting network-attached storage (NAS), firewall, and access point (AP) devices. The fixes address critical flaws that could allow authentication bypass and command injection.
The three vulnerabilities are listed below :
Samsung phone is saving your passwords in plain text
UK Software Firm Exposed 8 million of Healthcare Worker Records
GitHub Enterprise Server Vulns Expose Risk of Code Execution
CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers
16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2023-35138 (CVSS score: 9.8):
There is a vulnerability that allows an attacker to execute operating system commands using an HTTP POST request, even without authentication.
CVE-2023-4473 (CVSS score: 9.8):
A vulnerability in the web server allows an attacker to execute commands on a device by sending a specific URL.
CVE-2023-4474 (CVSS score: 9.8):
An unauthenticated attacker could execute OS commands by sending a manipulated URL to a vulnerable device.
Zyxel has fixed three high-severity flaws (CVE-2023-35137, CVE-2023-37927, and CVE-2023-37928). These flaws could be used by attackers to gather system information and run commands. It is important to mention that both CVE-2023-37927 and CVE-2023-37928 require authentication.
The flaws impact the following models and versions :
NAS326 – versions V5.21(AAZF.14)C0 and earlier (Patched in V5.21(AAZF.15)C0)
NAS542 – versions V5.21(ABAG.11)C0 and earlier (Patched in V5.21(ABAG.12)C0)
The advisory warns about nine flaws found in firewall and access point versions sold by Taiwanese networking vendor. Some of these flaws could allow unauthorized access to system files and administrator logs, or cause a denial-of-service condition.
