Zyxel security advisory for OS command injection vulnerability in NAS products

Zyxel_May
Zyxel_May Posts: 157  Zyxel Employee
First Comment Fourth Anniversary

CVE: CVE-2024-6342

Summary

Zyxel has released hotfixes addressing command injection vulnerability in two NAS products that have reached end-of-vulnerability-support. Users are advised to install the hotfixes for optimal protection.

What is the vulnerability?

CVE-2024-6342

**UNSUPPORTED WHEN ASSIGNED**

A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

What versions are vulnerable—and what should you do?

Due to the critical severity of the vulnerability CVE-2024-6342, Zyxel has made hotfixes available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*.

Affected model

Affected version

Hotfix availability

NAS326

V5.21(AAZF.18)C0 and earlier

V5.21(AAZF.18)Hotfix-01

NAS542

V5.21(ABAG.15)C0 and earlier

V5.21(ABAG.15)Hotfix-01

*Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.

Got a question?

Please contact your local service rep or visit Zyxel’s community for further information or assistance.

Acknowledgment

Thanks to Nanyu Zhong and Jinwei Dong from VARAS@IIE for reporting the issue to us.

Revision history

2024-9-10: Initial release.