CVE-2024-29974

Name of the Vulnerable Software and Affected Versions Zyxel NAS326 versions prior to V5.21(AAZF.17)C0 Zyxel NAS542 versions prior to V5.21(ABAG.14)C0

Description The issue is related to a remote code execution vulnerability in the CGI program file upload-cgi in Zyxel NAS326 and NAS542 firmware. This vulnerability could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. The vulnerability is associated with unlimited upload of dangerous file types, which can be exploited by a remote attacker to bypass security restrictions and execute arbitrary code.

Recommendations For Zyxel NAS326 versions prior to V5.21(AAZF.17)C0, update to version V5.21(AAZF.17)C0 or later. For Zyxel NAS542 versions prior to V5.21(ABAG.14)C0, update to version V5.21(ABAG.14)C0 or later. As a temporary workaround, consider disabling the file upload-cgi function until a patch is available. Restrict access to the vulnerable file upload-cgi module to minimize the risk of exploitation. Avoid using the vulnerable CGI program until the issue is resolved.