CVE-2024-29972

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0

Description The issue exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary code by sending a specially crafted HTTP POST request to the remote help-cgi CGI program. This allows an unauthenticated attacker to execute some operating system (OS) commands.

Recommendations For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update to V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update to V5.21(ABAG.14)C0 or later. As a temporary workaround, consider restricting access to the remote help-cgi CGI program until a patch is available.