Network Security, Endpoint/Device Security, Patch/Configuration Management

Update remediates critical bugs in EOL Zyxel NAS devices

Online update computer keyboard button for internet software concept. Updating process keypad key in blue color.

Fixes have been issued by Taiwanese networking device manufacturer Zyxel to address five security vulnerabilities impacting its NAS326 and NAS542 network-attached storage devices that have not been supported since the end of 2023, including three critical flaws that could be exploited to facilitate remote code execution and command injection attacks, according to The Register.

Included in the addressed critical bugs were a backdoor account within the "NsaRescueAngel" firmware, tracked as CVE-2024-29972; a Python code injection issue, tracked as CVE-2024-29973, stemming from the remediation of another critical flaw; and an RCE vulnerability enabling increased persistence, tracked as CVE-2024-29974, according to Zyxel and Outpost24 vulnerability research intern Timothy Hjort, who discovered the security issues. Zyxel also patched the medium-severity privileged escalation flaws, tracked as CVE-2024-29975 and CVE-2024-29976.

No information was given by both Zyxel and Hjort regarding the active exploitation of all of the addressed flaws.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.