First published: Tue Jun 04 2024(Updated: )
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
Credit: security@zyxel.com.tw
Affected Software | Affected Version | How to fix |
---|---|---|
Zyxel NAS326 | <V5.21(AAZF.17)C0 | |
Zyxel NAS542 firmware | <V5.21(ABAG.14)C0 | |
All of | ||
Zyxel NAS326 | <5.21\(aazf.17\)c0 | |
Zyxel NAS326 | ||
All of | ||
Zyxel NAS542 Firmware | <5.21\(abag.14\)c0 | |
Zyxel NAS542 firmware |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-29973 is a command injection vulnerability that can lead to remote code execution on affected devices.
To fix CVE-2024-29973, upgrade Zyxel NAS326 firmware to V5.21(AAZF.17)C0 or NAS542 firmware to V5.21(ABAG.14)C0.
The affected devices for CVE-2024-29973 are Zyxel NAS326 and Zyxel NAS542 running firmware versions prior to the specified fixed versions.
Yes, an unauthenticated attacker can exploit CVE-2024-29973 remotely through the vulnerable 'setCookie' parameter.
There are no known workarounds for CVE-2024-29973; updating the firmware is the recommended solution.