Unauthenticated Remote Code Execution Vulnerability in Zyxel NAS326 Firmware
CVE-2024-29974

9.8CRITICAL

Key Information:

Vendor: Zyxel
Status: Nas326 Firmware; Nas542 Firmware
Vendor: CVE Published:; 4 June 2024

Badges

📰 News Worthy

Summary

A vulnerability in the Zyxel NAS326 and NAS542 devices involves the CGI program 'file_upload-cgi', which allows unauthorized remote code execution. By uploading a specially crafted configuration file, attackers can exploit this flaw to execute arbitrary commands on the device. This vulnerability affects firmware versions released prior to V5.21(AAZF.17)C0 for NAS326 and V5.21(ABAG.14)C0 for NAS542. Users are advised to update their firmware promptly to mitigate potential security risks associated with this issue.

Affected Version(s)

NAS326 firmware < V5.21(AAZF.17)C0

NAS542 firmware < V5.21(ABAG.14)C0

News Articles

BankInfoSecurity

CVE-2024-29974 CVE-2024-29972

Zyxel Releases Emergency Security Update for NAS Devices

Networking solutions vendor Zyxel fixed critical vulnerabilities in end-of-life network-attached storage devices that allow remote code execution. It left two

8 months ago

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

https://outpost24.com/blog/zyxel-nas-critical-vulnerabili...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by BankInfoSecurity
Jun 20, 2024
Vulnerability published
Jun 4, 2024
Vulnerability Reserved
Mar 22, 2024

Key Information:

Badges

Summary

Affected Version(s)

Get notified when SecurityVulnerability.io launches alerting 🔔

News Articles

Zyxel Releases Emergency Security Update for NAS Devices

References

CVSS V3.1

Timeline