Zyxel security advisory for OS command injection vulnerability in NAS products
Zyxel Employee
CVE: CVE-2024-6342
Summary
Zyxel has released hotfixes addressing command injection vulnerability in two NAS products that have reached end-of-vulnerability-support. Users are advised to install the hotfixes for optimal protection.
What is the vulnerability?
CVE-2024-6342
**UNSUPPORTED WHEN ASSIGNED**
A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
What versions are vulnerable—and what should you do?
Due to the critical severity of the vulnerability CVE-2024-6342, Zyxel has made hotfixes available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*.
Affected model | Affected version | Hotfix availability |
|---|---|---|
NAS326 | V5.21(AAZF.18)C0 and earlier | |
NAS542 | V5.21(ABAG.15)C0 and earlier |
*Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.
Got a question?
Please contact your local service rep or visit Zyxel’s community for further information or assistance.
Acknowledgment
Thanks to Nanyu Zhong and Jinwei Dong from VARAS@IIE for reporting the issue to us.
Revision history
2024-9-10: Initial release.
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 102 Nebula Status and Incidents
- 5.8K Security
- 305 USG FLEX H Series
- 283 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 255 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 77 Security Highlight