Zyxel Rolls Out Urgent Security Patch for End-of-Life NAS Devices

June 4, 2024

Zyxel Networks has issued an urgent security patch to address three critical vulnerabilities in its older NAS devices that are no longer supported. These devices include NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. These vulnerabilities could allow attackers to inject commands and execute code remotely.

The three critical flaws were identified and reported by Timothy Hjort, a security researcher at Outpost24. The vulnerabilities were disclosed in detail, along with proof-of-concept exploits, in coordination with Zyxel. The vulnerabilities are listed as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. However, two additional flaws that could allow privilege escalation and data disclosure were not fixed for these end-of-life products.

Despite these NAS models reaching the end of their support period on December 31, 2023, Zyxel decided to release fixes for the three critical flaws. These fixes are available in versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542. 'Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers [...] despite the products already having reached end-of-vulnerability-support,' according to a Zyxel security advisory.

Currently, Zyxel has not detected any exploitation of the vulnerability in the wild. However, with the public release of proof-of-concept exploits, device owners are advised to apply the security updates as soon as possible to protect their systems.

Latest News

• DarkGate Malware Upgrades: Shifts from AutoIt to AutoHotkey in Recent Cyber Attacks
• Oracle WebLogic Server Vulnerability Under Active Exploitation
• Critical Exploit Unveiled for Progress Telerik: Immediate Patch Required
• CISA Alerts on Actively Exploited Linux Kernel Vulnerability
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine