CVE-2024-29974

Description

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Zyxel / NAS326 firmware< V5.21(AAZF.17)C0 – < V5.21(AAZF.17)C0
Zyxel / NAS542 firmware< V5.21(ABAG.14)C0 – < V5.21(ABAG.14)C0

References

VENDOR_ADVISORYhttps://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024
MISChttps://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/