CVE-2024-6342: Critical Command Injection Flaw in Zyxel NAS Devices, Hotfixes Released for End-of-Support Products

by do son · September 9, 2024

Zyxel has released critical hotfixes for two of its NAS products, NAS326 and NAS542, which have already reached their end-of-vulnerability-support lifecycle. These devices are susceptible to a command injection vulnerability (CVE-2024-6342), which carries a severity score of 9.8 on the CVSS scale, making it a critical threat.

The vulnerability lies within the export-cgi program of the affected NAS devices. It allows an unauthenticated attacker to remotely execute operating system commands by sending a maliciously crafted HTTP POST request. If exploited, this could lead to a complete compromise of the NAS system, enabling attackers to gain control, exfiltrate data, or launch further attacks on other systems within the network.

Vulnerable Products and Versions

Zyxel NAS326: Versions V5.21(AAZF.18)C0 and earlier
Zyxel NAS542: Versions V5.21(ABAG.15)C0 and earlier

Although these devices reached their end-of-vulnerability-support on December 31, 2023, Zyxel has taken the exceptional step of providing hotfixes to address this critical flaw due to its severity and potential impact on users.

Hotfix Availability

Zyxel has urged users of the affected devices to install the hotfixes immediately to ensure optimal protection. The hotfixes are available for download on Zyxel’s official support page:

NAS326: Version V5.21(AAZF.18)Hotfix-01
NAS542: Version V5.21(ABAG.15)Hotfix-01

The Importance of Prompt Action

Given the critical nature of the CVE-2024-6342 vulnerability, it is essential for all NAS326 and NAS542 users, even those using these devices beyond their official support period, to apply the hotfixes. Unpatched systems are at high risk of being targeted by malicious actors who can exploit the vulnerability to take full control of the device and execute unauthorized operations.

For organizations or individuals that rely on Zyxel NAS devices for their data storage needs, this hotfix serves as a final line of defense. Since no further vulnerability support will be provided for these devices, users should also consider migrating to newer, supported hardware to avoid future risks.