Urgent Security Update for Zyxel NAS Devices: Patches Available for Critical Flaws

Zyxel has released critical security patches for two of its Network Attached Storage (NAS) devices, NAS326 and NAS542, addressing severe vulnerabilities that could allow attackers to execute code remotely and compromise system security.

The Vulnerabilities

The vulnerabilities, discovered by security researcher Timothy Hjort from Outpost24, include:

• CVE-2024-29972, CVE-2024-29973 (CVSS 9.8): Command injection vulnerabilities allowing unauthenticated attackers to execute OS commands on the devices.
• CVE-2024-29974 (CVSS 9.8): Remote code execution vulnerability enabling attackers to run arbitrary code on the devices.
• CVE-2024-29975 (CVSS 6.7): Improper privilege management flaw allowing local attackers to gain root privileges.
• CVE-2024-29976 (CVSS 6.5): Improper privilege management issue leading to information leakage.

End-of-Life Products Receive Patches

Despite NAS326 and NAS542 reaching their end-of-vulnerability-support in December 2023, Zyxel has made patches available to customers with extended support due to the critical nature of these vulnerabilities.

“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support […], despite the products already having reached end-of-vulnerability-support,” the company warns.

Affected Models and Patch Availability

• NAS326: Versions V5.21(AAZF.16)C0 and earlier are affected. Patch available in version V5.21(AAZF.17)C0.
• NAS542: Versions V5.21(ABAG.13)C0 and earlier are affected. Patch available in version V5.21(ABAG.14)C0.

Call to Action

Zyxel strongly urges all users of the affected NAS models to update their devices immediately. The severity of these vulnerabilities makes them attractive targets for attackers, and delaying the update could lead to serious security breaches.