Zyxel Rolls Out Urgent Security Patch for End-of-Life NAS Devices

June 4, 2024

Zyxel Networks has issued an urgent security patch to address three critical vulnerabilities in its older NAS devices that are no longer supported. These devices include NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. These vulnerabilities could allow attackers to inject commands and execute code remotely.

The three critical flaws were identified and reported by Timothy Hjort, a security researcher at Outpost24. The vulnerabilities were disclosed in detail, along with proof-of-concept exploits, in coordination with Zyxel. The vulnerabilities are listed as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. However, two additional flaws that could allow privilege escalation and data disclosure were not fixed for these end-of-life products.

Despite these NAS models reaching the end of their support period on December 31, 2023, Zyxel decided to release fixes for the three critical flaws. These fixes are available in versions 5.21(AAZF.17)C0 for NAS326 and 5.21(ABAG.14)C0 for NAS542. 'Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers [...] despite the products already having reached end-of-vulnerability-support,' according to a Zyxel security advisory.

Currently, Zyxel has not detected any exploitation of the vulnerability in the wild. However, with the public release of proof-of-concept exploits, device owners are advised to apply the security updates as soon as possible to protect their systems.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.