Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router

Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router

CVE: CVE-2023-22919

Summary

Zyxel has released a patch addressing a post-authentication command injection vulnerability in the NBG6604 home router. Users are advised to install the patch for optimal protection.

What is the vulnerability?

The post-authentication command injection vulnerability in Zyxel's NBG6604 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request. Note that WAN access is disabled by default on the home router.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified only one vulnerable product that is within the vulnerability support period and released a firmware patch to address the issue, as shown in the table below.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Thanks to Xianjun C

Acknowledgment

hen from Qihoo 360 for reporting the issue to us.

Revision history

2023-5-2: Initial release.