Zyxel security advisory for OS command injection vulnerability in NAS products
CVE: CVE-2024-6342
Summary
Zyxel has released hotfixes addressing command injection vulnerability in two NAS products that have reached end-of-vulnerability-support. Users are advised to install the hotfixes for optimal protection.
What is the vulnerability?
CVE-2024-6342
**UNSUPPORTED WHEN ASSIGNED**
A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
What versions are vulnerable—and what should you do?
Due to the critical severity of the vulnerability CVE-2024-6342, Zyxel has made hotfixes available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*.
Affected model | Affected version | Hotfix availability |
---|---|---|
NAS326 | V5.21(AAZF.18)C0 and earlier | V5.21(AAZF.18)Hotfix-01 |
NAS542 | V5.21(ABAG.15)C0 and earlier | V5.21(ABAG.15)Hotfix-01 |
*Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to Nanyu Zhong and Jinwei Dong from VARAS@IIE for reporting the issue to us.
Revision history
2024-9-10: Initial release.