Article Details

Zyxel issues emergency RCE patch for end-of-life NAS devices. Zyxel Networks has released an emergency security update to address three critical vulnerabilities impacting older NAS devices that have reached end-of-life. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. The networking solutions vendor addressed three critical flaws, which enable attackers to perform command injection and remote code execution. However, two of the flaws allowing privilege escalation and information disclosure were not fixed in the end-of-life products. Outpost24 security researcher Timothy Hjort discovered and reported all five vulnerabilities to Zyxel. Today, the researchers published a detailed write-up and proof-of-concept (PoC) exploits in coordination with Zyxel disclosure. The disclosed flaws are listed below, with only CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 fixed by Zixel: Although both NAS models reached the end of their support period on December 31, 2023, Zyxel released fixes for the three critical flaws in versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542. "Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers [...] despite the products already having reached end-of-vulnerability-support," reads a Zyxel security advisory. Zyxel says that it has not observed the vulnerability exploited in the wild. However, as there are now public proof-of-concept exploits, owners should apply the security updates as soon as possible.