CVE-2024-29973

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0

Description The command injection vulnerability in the setCookie parameter could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request to the /cmd,/simZysh/register main/setCookie endpoint. It is estimated that 1,194 exposed NAS326 and NAS542 devices, primarily in Europe, are potentially affected. Botnets have been observed exploiting this issue.

Recommendations For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update the firmware to V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update the firmware to V5.21(ABAG.14)C0 or later. As a temporary workaround, consider restricting access to the setCookie parameter in the /cmd,/simZysh/register main/setCookie endpoint until a patch is available.