Zyxel security advisory for OS command injection vulnerability in NAS products
CVE: CVE-2024-6342
Summary
Zyxel has released hotfixes addressing command injection vulnerability in two NAS products that have reached end-of-vulnerability-support. Users are advised to install the hotfixes for optimal protection.
What is the vulnerability?
CVE-2024-6342
**UNSUPPORTED WHEN ASSIGNED**
A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
What versions are vulnerable—and what should you do?
Due to the critical severity of the vulnerability CVE-2024-6342, Zyxel has made hotfixes available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*.
Affected model | Affected version | Hotfix availability |
---|---|---|
NAS326 | V5.21(AAZF.18)C0 and earlier | |
NAS542 | V5.21(ABAG.15)C0 and earlier |
*Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.
Got a question?
Please contact your local service rep or visit Zyxel’s community for further information or assistance.
Acknowledgment
Thanks to Nanyu Zhong and Jinwei Dong from VARAS@IIE for reporting the issue to us.
Revision history
2024-9-10: Initial release.
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight