Unauthenticated Remote Code Execution Vulnerability in Zyxel NAS326 Firmware
CVE-2024-29974

9.8CRITICAL

Key Information:

Vendor

Zyxel
Status
Nas326 Firmware
Nas542 Firmware
Vendor
CVE Published:
4 June 2024

Badges

🟣 EPSS 47%πŸ“° News Worthy

What is CVE-2024-29974?

A vulnerability in the Zyxel NAS326 and NAS542 devices involves the CGI program 'file_upload-cgi', which allows unauthorized remote code execution. By uploading a specially crafted configuration file, attackers can exploit this flaw to execute arbitrary commands on the device. This vulnerability affects firmware versions released prior to V5.21(AAZF.17)C0 for NAS326 and V5.21(ABAG.14)C0 for NAS542. Users are advised to update their firmware promptly to mitigate potential security risks associated with this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

NAS326 firmware < V5.21(AAZF.17)C0

NAS542 firmware < V5.21(ABAG.14)C0

News Articles

favicon imageBankInfoSecurity

Zyxel Releases Emergency Security Update for NAS Devices

Networking solutions vendor Zyxel fixed critical vulnerabilities in end-of-life network-attached storage devices that allow remote code execution. It left two

References

https://www.zyxel.com/global/en/support/security-advisori...
vendor-advisory
https://outpost24.com/blog/zyxel-nas-critical-vulnerabili...

EPSS Score

47% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by BankInfoSecurity

  • Vulnerability published

  • Vulnerability Reserved

JSON
.