Zyxel fixes critical command injection flaw in EOL NAS devices (CVE-2024-6342)
Users of Zyxel network-attached storage (NAS) devices are urged to implement hotfixes addressing a critical and easily exploited command injection vulnerability (CVE-2024-6342).
About CVE-2024-6342
Zyxel NAS devices are generally used by small to medium-sized businesses (SMBs) for data storage and backup.
CVE-2024-6342 – reported by Nanyu Zhong and Jinwei Dong from VARAS@IIE – is a vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices that can be triggered by unauthenticated attackers via a specially crafted HTTP POST request, and may allow them to execute some operating system commands.
“Due to the critical severity of the vulnerability, Zyxel has made hotfixes available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support,” the company said.
Zyxel doesn’t say whether the vulnerability is under active exploitation, but urges users to install the hotfixes “for optimal protection.”
NAS devices are an attractive target for cyber criminals. Earlier this year, a Mirai-like botnet has been spotted trying to leverage another command injection vulnerability (CVE-2024-29973) that Zyxel has fixed in these same end-of-life NAS devices.