CVE-2024-29974: Malicious File Upload
First published: Tue Jun 04 2024(Updated: )
** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
Credit: security@zyxel.com.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zyxel NAS326 | <V5.21(AAZF.17)C0 | |
| Zyxel NAS542 firmware | <V5.21(ABAG.14)C0 | |
| All of | ||
| Zyxel NAS326 | <5.21\(aazf.17\)c0 | |
| Zyxel NAS326 | ||
| All of | ||
| Zyxel NAS542 firmware | <5.21\(abag.14\)c0 | |
| Zyxel NAS542 firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/zyxel-issues-emergency-rce-patch-for-end-of-life-nas-devices/
- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
- https://www.theregister.com/2024/06/05/zyxel_emergency_patches_nas/
- https://www.theregister.com/2024/06/24/mirailike_botnet_zyxel_nas/
Frequently Asked Questions
What is the severity of CVE-2024-29974?
CVE-2024-29974 has been classified as a remote code execution vulnerability affecting certain Zyxel NAS firmware.
How do I fix CVE-2024-29974?
To fix CVE-2024-29974, upgrade to Zyxel NAS326 firmware version V5.21(AAZF.17)C0 or NAS542 firmware version V5.21(ABAG.14)C0 or later.
Who is affected by CVE-2024-29974?
CVE-2024-29974 affects users of Zyxel NAS326 and NAS542 devices running firmware versions before V5.21.
What could happen if CVE-2024-29974 is exploited?
If exploited, CVE-2024-29974 could allow an unauthenticated attacker to execute arbitrary code on the affected Zyxel devices.
Is CVE-2024-29974 still being supported by Zyxel?
CVE-2024-29974 is documented as unsupported when assigned, which means it is not related to current supported firmware updates.
- agent/weakness
- agent/description
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-29972
- alias/CVE-2024-29973
- alias/CVE-2024-29974
- collector/the-register
- source/The Register
- alias/CVE-2023-27992
- alias/CVE-2024-29975
- alias/CVE-2024-29976
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/last-modified-date
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- vendor/zyxel
- canonical/zyxel nas326
- canonical/zyxel nas542 firmware