June 4, 2024 at 01:35PM
Zyxel Networks released an emergency security update addressing three critical vulnerabilities in older NAS devices reaching end-of-life. The flaws enable command injection, remote code execution, privilege escalation, and information disclosure. Outpost24 security researcher Timothy Hjort discovered and reported the vulnerabilities. Zyxel released fixes despite end-of-support, urging immediate application due to public exploits.
Meeting Notes Summary:
Zyxel Networks has issued an urgent security update to address three critical vulnerabilities affecting older NAS devices that are no longer receiving updates. The vulnerabilities impact NAS326 and NAS542 devices running specific firmware versions, potentially allowing attackers to execute commands and upload malicious files. Outpost24 security researcher Timothy Hjort discovered and reported these vulnerabilities to Zyxel, and they have been made public along with proof-of-concept exploits.
Zyxel has fixed the CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 vulnerabilities in the latest firmware versions, despite the end-of-support status of the devices. However, two other vulnerabilities, CVE-2024-29975 and CVE-2024-29976, remain unfixed for the end-of-life products.
Zyxel has emphasized the critical nature of the fixed vulnerabilities and strongly advises customers to apply the security updates promptly, even though they have reached end-of-vulnerability-support. Although there have been no reported exploits in the wild, the public availability of proof-of-concept exploits necessitates immediate action from device owners.