Zyxel NAS devices hit by critical security threat, so patch now

6 June 2024, 20:59 published

[ad_1]

Zyxel has patched three high-severity flaws plaguing some of its NAS devices.

In a security advisory, Zyxel said it released patches for CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, three flaws with severity scores of 9.8/10 (critical), and urged users to apply them immediately.

The vulnerabilities, discovered in March 2024, were discovered in NAS326 (running version V5.21(AAZF.16)C0 and earlier) and NAS542 (running versions V5.21(ABAG.13)C0 and earlier).

Proof of concept

CVE-2024-29972 is a backdoor account in the Zyxel firmware, called “NsaRescueAngel”. This is a remote support account with root privileges that Zyxel supposedly removed four years ago, but obviously didn’t. CVE-2024-29973 is a Python code injection flaw that Zyxel created while patching a separate vulnerability last year (CVE-2023-27992), while CVE-2024-29974 is a remote code execution (RCE) flaw granting potential attackers persistence on the compromised devices.

Besides the three flaws, the researchers found two additional ones – CVE-2024-29975 and CVE-2024-29976. However, these are moderately severe, with scores 6.7 and 6.5 respectively. Both are described as privilege escalation flaws.

It is also worth mentioning that these two Zyxel devices reached end-of-life status on December 31, 2023, and Zyxel still decided to patch them for the organizations with extended warranty.

“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support… despite the products already having reached end-of-vulnerability-support,” the advisory added.

The vulnerabilities were found by Timothy Hjort, a security research intern at Outpost24, The Register reported. Besides the discovery, Hjort also included a proof of concept (PoC) that demonstrated how the vulnerabilities could be exploited. At press time, there were no reports or evidence of in-the-wild abuse, however, since the devices are past EoD, and with the methodology widely available, it is probably just a matter of time.

More from TechRadar Pro

[ad_2]

Source link

Joy

Cong.

Loved

Surprised

Unliked

Mad

Zyxel NAS devices hit by critical security threat, so patch now

Comment

Zyxel NAS devices hit by critical security threat, so patch now

Write a Reply Cancel

You may be interested

The Galaxy S25 could have genuinely useful AI features that trump Apple Intelligence – including these 5 tricks

I’ve been waiting years for ChatGPT’s new Tasks feature – here’s how I’m planning to use it to organize my life

Wrexham’s new stadium plans get even BIGGER after Ryan Reynolds revealed vision for 55,000-seater ground

150TB SSD modules to go mainstream in 2025, and Micron is getting a slice of that pie

Nvidia abandons the problematic 12VHPWR RTX 4080 power connector with a much longer one for the RTX 5080 FE according to leaked images

Transfer news LIVE: Saudis set to offer Mohamed Salah £65m, Marcus Rashford EXCLUSIVE, Trent Alexander-Arnold TWIST

L’Oreal’s new skin testing suite paid me such a nice compliment, I nearly stole it from the demo room

Israel, Hamas appear to agree on tentative Gaza ceasefire deal: officials – National

Thousands of WordPress websites hit in new malware attack, here’s what we know

Privacy of millions worldwide compromised as huge data location broker got hacked

Zyxel NAS devices hit by critical security threat, so patch now

Share This Post

or copy the link

Related News

Write a Reply Cancel

You may be interested