CVE-2024-29975

2024-06-0401:43:06

CWE-269

Zyxel

www.cve.org

improper privilege management

suid executable binary

zyxel nas326

nas542

firmware

authenticated local attacker

administrator privileges

system commands

root user

vulnerable device

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

UNSUPPORTED WHEN ASSIGNED
The improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "NAS326 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "< V5.21(AAZF.17)C0"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "NAS542 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "< V5.21(ABAG.14)C0"
      }
    ]
  }
]