CVE-2020-9054

CRITICAL KEV NUCLEI

ZyXEL NAS326/520/540/542 < 5.21 - Unauthenticated RCE via Weblogin.cgi

Title source: llm

Exploitation Summary

CVE-2020-9054 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 1 public exploit from researchers including darrenmartyn. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python script that exploits an authentication bypass vulnerability in Zyxel devices via command injection in the login form. The PoC sends a crafted username with a command injection payload to execute arbitrary commands on the target device.

Description

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

Exploits (1)

nomisec WORKING POC 3 stars

by darrenmartyn · remote

https://github.com/darrenmartyn/CVE-2020-9054

View Code ZIP pw:eip

The repository contains a functional Python script that exploits an authentication bypass vulnerability in Zyxel devices via command injection in the login form. The PoC sends a crafted username with a command injection payload to execute arbitrary commands on the target device.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Zyxel devices (specific version not specified)

No auth needed

Prerequisites: Network access to the target device · Target device must be vulnerable to CVE-2020-9054

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Zyxel NAS Firmware 5.21- Remote Code Execution

CRITICALby dhiyaneshDk

References (6)

Core 6

Core References

Third Party Advisory x_refsource_misc

https://cwe.mitre.org/data/definitions/78.html

Vendor Advisory x_refsource_confirm

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

https://kb.cert.org/vuls/id/498544/

Third Party Advisory, US Government Resource x_refsource_misc

https://kb.cert.org/artifacts/cve-2020-9054.html

Exploit, Third Party Advisory x_refsource_misc

https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054

Scores

CVSS v3 9.8

EPSS 0.9426

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2020-02-24

InTheWild.io 2020-03-12

ENISA EUVD EUVD-2020-29883

CWE

CWE-78

Status published

Products (27)

zyxel/atp100_firmware 4.35 - 4.35\(abps.3\)c0

zyxel/atp200_firmware 4.35 - 4.35\(abfw.3\)c0

zyxel/atp500_firmware 4.35 - 4.35\(abfu.3\)c0

zyxel/atp800_firmware 4.35 - 4.35\(abiq.3\)c0

zyxel/nas326_firmware < 5.21\(aazf.7\)c0

zyxel/nas520_firmware < 5.21\(aasz.3\)c0

zyxel/nas540_firmware < 5.21\(aatb.4\)c0

zyxel/nas542_firmware < 5.21\(abag.4\)c0

zyxel/usg1100_firmware 4.35 - 4.35\(aapk.3\)c0

zyxel/usg110_firmware 4.35 - 4.35\(aaph.3\)c0

... and 17 more

Published Mar 04, 2020

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026