Crafted HTTP POST request can execute OS commands
CVE-2024-6342

9.8CRITICAL

Key Information:

Vendor: Zyxel
Status: Nas326 Firmware; Nas542 Firmware
Vendor: CVE Published:; 10 September 2024

Badges

📰 News Worthy

Summary

A command injection vulnerability exists in the export-cgi program within Zyxel NAS326 and NAS542 firmware, allowing unauthenticated attackers to execute operating system commands. This can be exploited by sending crafted HTTP POST requests, potentially compromising the integrity and operational functionality of the affected devices. Users of the NAS326 and NAS542 models should review the firmware versions to mitigate risks associated with this vulnerability.

Affected Version(s)

NAS326 firmware <= V5.21(AAZF.18)C0

NAS542 firmware <= V5.21(ABAG.15)C0

News Articles

Help Net Security

CVE-2024-6342

Zyxel fixes critical command injection flaw in EOL NAS devices (CVE-2024-6342) - Help Net Security

Users of Zyxel NAS devices are urged to implement hotfixes for an easily exploited command injection vulnerability (CVE-2024-6342).

5 months ago

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by Help Net Security
Sep 10, 2024
Vulnerability published
Sep 10, 2024
Vulnerability Reserved
Jun 26, 2024

Key Information:

Badges

Summary

Affected Version(s)

Get notified when SecurityVulnerability.io launches alerting 🔔

News Articles

Zyxel fixes critical command injection flaw in EOL NAS devices (CVE-2024-6342) - Help Net Security

References

CVSS V3.1

Timeline