{"id":164927,"date":"2024-06-25T16:52:28","date_gmt":"2024-06-25T16:52:28","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164927"},"modified":"2024-06-25T16:52:42","modified_gmt":"2024-06-25T16:52:42","slug":"mirai-like-botnet-zyxel-nas","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164927\/cyber-crime\/mirai-like-botnet-zyxel-nas.html","title":{"rendered":"Mirai-like botnet is exploiting recently disclosed Zyxel NAS flaw<\/gwmw>"},"content":{"rendered":"
<\/div>\n

Researchers warn that a Mirai-based botnet is exploiting a recently disclosed critical vulnerability in EoL Zyxel NAS devices.<\/h2>\n\n\n\n

Researchers at the Shadowserver Foundation warn that a Mirai<\/a>-based botnet has started exploiting a recently disclosed vulnerability tracked as CVE-2024-29973<\/a> (CVSS score 9.8) in end-of-life NAS devices Zyxel NAS products.<\/p>\n\n\n\n

The flaw is a command injection vulnerability<\/a> in the \u201csetCookie\u201d parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0. An unauthenticated attacker can exploit the flaw to execute some operating system (OS) commands by sending a crafted HTTP POST request.<\/p>\n\n\n\n

The vulnerability affects NAS326\u00a0running firmware versions 5.21(AAZF.16)C0 and earlier, and\u00a0NAS542\u00a0running firmware versions 5.21(ABAG.13)C0 and older.<\/p>\n\n\n\n

The vulnerability stems from the fix for another code injection issue tracked as CVE-2023-27992<\/a> that was addressed in June 2023.<\/p>\n\n\n\n

Now the researchers at the Shadowserver Foundation reported that they have started observing exploitation attempts for this vulnerability by a Mirai-like botnet. The experts urge a replacement of the EoL devices and pointed out that PoC exploit code is publicly available.<\/p>\n\n\n\n

\n

… and consider a replacement for these now unsupported devices!

NVD entry:
https:\/\/t.co\/aqx6xPhdYB<\/a>

Vulnerability\/exploit details are public.<\/p>— The Shadowserver Foundation (@Shadowserver)
June 21, 2024<\/a><\/blockquote>