CVE-2024-29972
Published: 04 June 2024
Summary
CVE-2024-29972 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zyxel Nas326 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2024-29972 is a command injection flaw in the remote_help-cgi CGI program present in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0. Marked as unsupported when assigned, the issue is classified under CWE-78 and carries a CVSS 3.1 score of 9.8 reflecting network-accessible unauthenticated exploitation with high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can exploit the flaw by submitting a crafted HTTP POST request that results in execution of arbitrary operating system commands on the affected NAS devices.
Zyxel’s security advisory for multiple NAS vulnerabilities, along with analysis from Outpost24, directs administrators to apply the fixed firmware releases V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0 on supported models to address the issue.
The associated EPSS score stands at 0.9226 with a recorded peak of 0.9268.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26946
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by…
more
sending a crafted HTTP POST request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.