Zyxel has released critical security patches for vulnerabilities in two of its Network Attached Storage (NAS) devices, NAS326 and NAS542 that could allow attackers to execute code remotely and compromise system security.
- CVE-2024-29972, CVE-2024-29973 (the CVSS score of both vulnerabilities are 9.8):Command injection vulnerabilities allowing unauthenticated attackers to execute OS commands on the devices.
- CVE-2024-29974 (the CVSS score is 9.8): Remote code execution vulnerability enabling attackers to run arbitrary code on the devices.
- CVE-2024-29975 (the CVSS score is 6.7): Improper privilege management flaw allowing local attackers to gain root privileges.
- CVE-2024-29976 (the CVSS score is 6.5): Improper privilege management issue leading to information leakage.
Advertisements
Both NAS326 and NAS542 devices reached their end-of-vulnerability-support in December 2023, Zyxel has made patches available to customers with extended support due to the critical nature of these vulnerabilities.
Affected Products
- NAS326: Versions V5.21(AAZF.16)C0 and earlier are affected. Patch available in version V5.21(AAZF.17)C0.
- NAS542: Versions V5.21(ABAG.13)C0 and earlier are affected. Patch available in version V5.21(ABAG.14)C0.
Zyxel strongly urges all users of the affected NAS models to update their devices immediately considering the severity of the identified vulnerabilities.
