Command Injection Vulnerabilities:

1. CVE-2023-35138: This vulnerability affects the “show_zysync_server_contents” function of Zyxel NAS devices, enabling unauthenticated attackers to execute operating system commands via crafted HTTP POST requests, with a severity rating of 9.8 (Critical).
2. CVE-2023-37928: This post-authentication command injection flaw resides in the WSGI server of NAS devices. By exploiting this vulnerability with a crafted URL, threat actors can execute OS commands on affected devices, rated at 8.8 in severity (High).
3. CVE-2023-4473: Present in the web server of Zyxel NAS devices, this vulnerability permits unauthenticated threat actors to execute OS commands through crafted URLs, with a severity rating of 9.8 (Critical).

Acknowledging the responsible disclosure of these vulnerabilities by security researchers, Zyxel credits Maxim Suslov for CVE-2023-35138 and Attila Szász from BugProve for CVE-2023-37928 and CVE-2023-4473, along with Drew Balfour from IBM X-Force for CVE-2023-4473.

In addition to addressing these specific vulnerabilities, Zyxel has released patches to rectify a total of 15 security issues affecting NAS, firewall, and access point (AP) devices. Among these, three critical flaws, including the aforementioned command injection vulnerabilities, have been identified as potential pathways for authentication bypass and unauthorized command execution. These patches aim to fortify the security posture of Zyxel devices, reducing the risk of exploitation by threat actors.

It’s imperative for users to promptly apply these updates to mitigate potential threats, especially considering the history of Zyxel devices being targeted by malicious actors. By staying vigilant and ensuring their devices are up to date, users can bolster their defenses against evolving cybersecurity risks.

The vulnerability resides within the Graphapi app, which leverages a third-party library to provide a URL for retrieving PHP environment details, including sensitive data like OwnCloud admin passwords and mail server credentials. Notably, instances predating February 2023 in Docker containers remain unaffected by credential exposure.

Reports indicate a significant concentration of vulnerable systems in Germany, with over 11,000 systems worldwide at risk. Despite the gravity of the situation, merely deactivating the Graphapi app does not suffice as a solution.

OwnCloud advises administrators to delete the vulnerable file and promptly change exposed credentials. Additionally, two other vulnerabilities (CVE-2023-49104 and CVE-2023-49105) have been disclosed, further underscoring the urgency for mitigation efforts.

Despite OwnCloud’s patch release on September 1, an update to Graphapi version 0.3.1 remains imperative to safeguard systems. Threat actors have swiftly capitalized on this vulnerability since November 25, 2023, with multiple IPs involved in exploitation attempts.

Both Shadowserver and Greynoise corroborate the escalating threat landscape, necessitating immediate action from administrators to mitigate the risk. Disabling the ‘phpinfo’ function in Docker containers and fortifying passwords are crucial steps in thwarting potential breaches.

In conclusion, the exploitation of CVE-2023-49103 underscores the critical importance of swift and comprehensive security measures within the OwnCloud ecosystem.