Zyxel NAS devices hit by critical security threat, so patch now

News
By published

Five vulnerabilities discovered in two NAS devices

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Zyxel has patched three high-severity flaws plaguing some of its NAS devices.

In a security advisory, Zyxel said it released patches for CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, three flaws with severity scores of 9.8/10 (critical), and urged users to apply them immediately.

The vulnerabilities, discovered in March 2024, were discovered in NAS326 (running version V5.21(AAZF.16)C0 and earlier) and NAS542 (running versions V5.21(ABAG.13)C0 and earlier). 

Proof of concept

CVE-2024-29972 is a backdoor account in the Zyxel firmware, called "NsaRescueAngel". This is a remote support account with root privileges that Zyxel supposedly removed four years ago, but obviously didn’t. CVE-2024-29973 is a Python code injection flaw that Zyxel created while patching a separate vulnerability last year (CVE-2023-27992), while CVE-2024-29974 is a remote code execution (RCE) flaw granting potential attackers persistence on the compromised devices. 

Besides the three flaws, the researchers found two additional ones - CVE-2024-29975 and CVE-2024-29976. However, these are moderately severe, with scores 6.7 and 6.5 respectively. Both are described as privilege escalation flaws. 

It is also worth mentioning that these two Zyxel devices reached end-of-life status on December 31, 2023, and Zyxel still decided to patch them for the organizations with extended warranty.

"Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support… despite the products already having reached end-of-vulnerability-support," the advisory added. 

The vulnerabilities were found by Timothy Hjort, a security research intern at Outpost24, The Register reported. Besides the discovery, Hjort also included a proof of concept (PoC) that demonstrated how the vulnerabilities could be exploited. At press time, there were no reports or evidence of in-the-wild abuse, however, since the devices are past EoD, and with the methodology widely available, it is probably just a matter of time. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Security
Zyxel says it won’t patch security flaws in its old routers
Ransomware
Synology patches critical vulnerabilities, urges users to update devices against zero-click attacks
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
The best free firewall
Sophos hotfixes remote code execution vulnerabilities in Firewall
Digital image of a lock.
Fortinet flags some worrying security bugs coming back from the dead
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
More about security
Email

Over 90% of Americans demand a "right-to-disconnect" law which would protect them from out-of-hours work communication
A hand holding an iPhone with the iCloud logo on screen.

"I have nothing to hide" - our readers react to Apple getting secret hearing in appeal against UK government

Disappointed by The Electric State? Here's 4 reasons you should watch Tales From the Loop on Prime Video
See more latest
Most Popular
Zuckerberg Meta AI
Meta powers ahead with conscious chip uncoupling with Nvidia as it tests its first in-house training AI-PU
Email
Over 90% of Americans demand a "right-to-disconnect" law which would protect them from out-of-hours work communication
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Gachapon Capsure Station
Somewhere in Japan is a dispenser where you can buy toy rack servers complete with cute Dell PowerEdge 2U servers
An angry Mark Grayson flying towards the camera in Invincible season 3 episode 7
Invincible season 4: everything we know so far about the hit Prime Video show's next chapter
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
A hand holding an iPhone with the iCloud logo on screen.
"I have nothing to hide" - our readers react to Apple getting secret hearing in appeal against UK government