Zyxel Networks released an emergency security update to address three critical flaws in some of its NAS devices that have reached end-of-life.<\/p>\n\n\n\n
An attacker can exploit the vulnerabilities to perform command injection attacks and achieve remote code execution. Two flaws can also allow attackers to elevate privileges.<\/p>\n\n\n\n
The Outpost24 researcher\u00a0Timothy Hjort reported the flaw to the manufacturer and published<\/strong><\/a> a detailed analysis and PoC exploit codes for the flaws.
Below is the list impacting the Zyxel NAS devices:
The vulnerabilities affect NAS326\u00a0running firmware versions 5.21(AAZF.16)C0 and earlier, and\u00a0NAS542\u00a0running firmware versions 5.21(ABAG.13)C0 and older.<\/p>\n\n\n\n
The vendor did not address CVE-2024-29975 and CVE-2024-29976 in its end-of-life products.<\/p>\n\n\n\n
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support.” reads the advisory<\/a> published by the company. “Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.”<\/em><\/p>\n\n\n\n
Zyxel is not aware of attacks in the wild exploiting these vulnerabilities.
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0RCE)<\/strong>