CVE-2024-29972: OS Command Injection
First published: Tue Jun 04 2024(Updated: )
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
Credit: security@zyxel.com.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zyxel NAS326 | <V5.21(AAZF.17)C0 | |
| Zyxel NAS542 firmware | <V5.21(ABAG.14)C0 | |
| All of | ||
| Zyxel NAS326 | <5.21\(aazf.17\)c0 | |
| Zyxel NAS326 | ||
| All of | ||
| Zyxel NAS542 firmware | <5.21\(abag.14\)c0 | |
| Zyxel NAS542 firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/zyxel-issues-emergency-rce-patch-for-end-of-life-nas-devices/
- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
- https://www.theregister.com/2024/06/05/zyxel_emergency_patches_nas/
- https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas/
Frequently Asked Questions
What is the severity of CVE-2024-29972?
CVE-2024-29972 is classified as a critical command injection vulnerability that could allow unauthenticated attackers to execute operating system commands.
How do I fix CVE-2024-29972?
To fix CVE-2024-29972, update the Zyxel NAS326 firmware to version V5.21(AAZF.17)C0 or the NAS542 firmware to version V5.21(ABAG.14)C0.
Which products are affected by CVE-2024-29972?
The affected products for CVE-2024-29972 are Zyxel NAS326 and NAS542 running firmware versions prior to V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0 respectively.
Is there a workaround for CVE-2024-29972?
Currently, there is no documented workaround for CVE-2024-29972 other than applying the necessary firmware updates.
What does CVE-2024-29972 allow an attacker to do?
CVE-2024-29972 potentially allows an unauthenticated attacker to execute arbitrary operating system commands on the vulnerable NAS devices.
- agent/weakness
- agent/description
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-29972
- alias/CVE-2024-29973
- alias/CVE-2024-29974
- collector/the-register
- source/The Register
- alias/CVE-2023-27992
- alias/CVE-2024-29975
- alias/CVE-2024-29976
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/last-modified-date
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- vendor/zyxel
- canonical/zyxel nas326
- canonical/zyxel nas542 firmware