Security News > 2024 > June > Zyxel issues emergency RCE patch for end-of-life NAS devices

Zyxel issues emergency RCE patch for end-of-life NAS devices
2024-06-04 17:28

Zyxel Networks has released an emergency security update to address three critical vulnerabilities impacting older NAS devices that have reached end-of-life.

Although both NAS models reached the end of their support period on December 31, 2023, Zyxel released fixes for the three critical flaws in versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542.

"Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers despite the products already having reached end-of-vulnerability-support," reads a Zyxel security advisory.

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks.

Widely used modems in industrial IoT devices open to SMS attack.

Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw.


News URL

https://www.bleepingcomputer.com/news/security/zyxel-issues-emergency-rce-patch-for-end-of-life-nas-devices/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-06-04 CVE-2024-29974 Unspecified vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware
** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. 		0.0
0.0
2024-06-04 CVE-2024-29973 Unspecified vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. 		0.0
0.0
2024-06-04 CVE-2024-29972 Unspecified vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. 		0.0
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 387 0 74 86 47 207