About the Vulnerability
Introduction
Zyxel NAS is a network attached storage device developed by Zyxel Communications Corporation, specifically used for storing and sharing files. It connects to computers, servers, or other devices through a network to provide centralized file storage and access capabilities.
Summary
On June 6, 2024, Sangfor FarSight Labs received notification of the remote code execution vulnerability (CVE-2024-29974) in Zyxel NAS, classified as critical (CVSS Score 9.8) by NVD.
This vulnerability exists in the CGI program file_upload-cgi on Zyxel NAS326 earlier than V5.21(AAZF.17)C0 and NAS542 earlier than V5.21(ABAG.14)C0. Unauthenticated attackers can execute arbitrary code by uploading a malicious file, causing server compromise.
Affected Versions
Zyxel NAS326 < V5.21(AAZF.17)C0
Zyxel NAS542 < V5.21(ABAG.14)C0
Solutions
Remediation Solutions
Official Solution
Zyxel has released new versions of NAS, and affected users are strongly recommended to update to the following version to fix the vulnerability.
NAS326: V5.21(AAZF.17)C0
NAS542: V5.21(ABAG.14)C0
Download link: https://www.zyxel.com/global/en/support/download
Timeline
On June 6, 2024, Sangfor FarSight Labs received notification of the Zyxel NAS remote code execution vulnerability (CVE-2024-29974).
On June 6, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/ https://cxsecurity.com/cveshow/CVE-2024-29974/ https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
