CrowdSec
6/10CrowdSec Score

Zyxel NAS - RCE (CVE-2020-9054)

Published on03-04-2020
First seen on27-02-2025
Public ExploitCVSS 9.8/10Zyxel - Nas Firmware

272Exploiting IPs reported

Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device.

CrowdSec analysis

CVE-2020-9054 is a critical vulnerability in Zyxel network-attached storage (NAS) devices that allows remote, unauthenticated command injection through improper input sanitation in the login interface.

CrowdSec has been tracking this vulnerability and its exploits since 10th of March 2025.

CrowdSec network observations suggest that most exploitation of CVE-2020-9054 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. In addition, according to the CrowdSec network, attack volume against CVE-2020-9054 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Exploitation attempts are identified by requests to URLs referencing cgi-bin/weblogin.cgi with crafted parameters designed to trigger command injection.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References