June 5, 2024 at 08:00AM
Taiwan-based networking device manufacturer Zyxel warned of three critical-severity vulnerabilities in discontinued NAS products, allowing command injection and arbitrary code execution without authentication. Despite reaching the end of vulnerability support, patches were made available for impacted products NAS326 and NAS542. Exploitation could lead to persistent root access, requiring immediate firmware updates.
From the meeting notes, it is clear that Zyxel has issued a warning about three critical-severity vulnerabilities in two discontinued NAS products, NAS326 and NAS542. The vulnerabilities, tracked as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, could potentially lead to command injection and arbitrary code execution.
These flaws can be exploited without authentication, posing a serious security risk. Outpost24 security researcher Timothy Hjort, who discovered and reported the vulnerabilities, highlighted that successful exploitation of these issues could allow an attacker to achieve persistent root access to the vulnerable NAS devices.
Zyxel has made patches available to customers with extended support, despite the products already reaching end-of-vulnerability-support. NAS326 users are advised to update to firmware version V5.21(AAZF.17)C0, and NAS542 users should update to firmware version V5.21(ABAG.14)C0 as soon as possible.
The company has taken these vulnerabilities seriously and is actively working to mitigate the risks associated with these flaws. It is important to ensure that all affected customers are made aware of the urgency in updating their firmware to protect against potential exploitation.