9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.937 High
EPSS
Percentile
99.1%
Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status.
Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations.
Impacted models include NAS326 running versions V5.21(AAZF.16)C0 and earlier, and NAS542 running versions V5.21(ABAG.13)C0 and earlier. The shortcomings have been resolved in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0, respectively.
A brief description of the flaws is as follows -
Outpost24 security researcher Timothy Hjort has been credited with discovering and reporting the five flaws. It’s worth noting that the two of the privilege escalation flaws that require authentication remain unpatched.
While there is no evidence that the issues have been exploited in the wild, users are recommended to update to the latest version for optimal protection.
The Shadowserver Foundation, on June 21, 2024, said it’s seeing exploitation attempts targeting CVE-2024-29973 to deliver a Mirai-like botnet, making it essential that users take steps to either apply the patch or upgrade to a supported device to mitigate threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.937 High
EPSS
Percentile
99.1%