Zyxel NAS Devices Under Attack: CVE-2024-29973 Exploitation Attempts by Mirai-Like Botnet

Shadowserver, a leading threat monitoring platform, has raised a red flag regarding the active exploitation of a critical vulnerability in Zyxel NAS devices. The flaw, tracked as CVE-2024-29973 (CVSS 9.8), allows unauthenticated attackers to inject and execute malicious commands remotely, potentially compromising the security and integrity of the affected devices.

The Threat: CVE-2024-29973

Discovered by Timothy Hjort of Outpost24’s Ghost Labs, CVE-2024-29973 is a command injection vulnerability in the “setCookie” parameter of the Zyxel NAS326 and NAS542 models. Exploiting this vulnerability allows attackers to gain unauthorized access to the device’s operating system and execute commands with potentially devastating consequences. Hjort’s technical write-up on the vulnerability included proof of concept exploit code, which has likely contributed to the rapid emergence of exploitation attempts.

Mirai Botnet

The exploitation attempts have been linked to a Mirai-like botnet, a notorious malware family known for hijacking vulnerable devices to create massive botnets. These botnets are often used to launch distributed denial-of-service (DDoS) attacks, which can cripple websites and online services.

Who’s at Risk?

The vulnerable Zyxel NAS models include NAS326 devices running firmware v5.21(AAZF.16)C0 or earlier and NAS542 devices running v5.21(ABAG.13)C0 or earlier. While these models have reached end-of-life support, they are still widely used by individuals and businesses alike.

Zyxel’s Response

Zyxel has acknowledged the critical nature of the vulnerability and has released patches for customers with extended support. They strongly advise users to upgrade to the latest firmware versions, v5.21(AAZF.17)C0 for NAS326 and v5.21(ABAG.14)C0 for NAS542, to mitigate the risk of compromise.

Urgency for Action

The active exploitation of CVE-2024-29973 by a Mirai-like botnet underscores the urgency of applying the necessary security patches. Zyxel NAS owners are strongly encouraged to act promptly to protect their devices from unauthorized access and potential incorporation into malicious botnets.

Expert Recommendations

In addition to applying the official patch, security experts recommend the following measures:

• Change default passwords and use strong, unique credentials.
• Disable remote access if not necessary.
• Regularly update firmware and software to the latest versions.
• Implement a firewall and intrusion detection system to monitor for suspicious activity.