CVE-2024-29974
Published: 04 June 2024
Summary
CVE-2024-29974 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Zyxel Nas326 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-29974 is a remote code execution vulnerability in the file_upload-cgi CGI program present in Zyxel NAS326 firmware versions prior to V5.21(AAZF.17)C0 and NAS542 firmware versions prior to V5.21(ABAG.14)C0. The flaw, assigned CWE-434, permits an unauthenticated attacker to upload a crafted configuration file that results in arbitrary code execution on the device. It carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack complexity that is low with no required credentials or user interaction.
An unauthenticated remote attacker can exploit the issue over the network by sending a malicious configuration file to the vulnerable CGI endpoint, achieving full control over the affected NAS device including the ability to read, modify, or delete data and disrupt availability.
Zyxel’s security advisory and related analysis from Outpost24 state that the affected firmware versions should be updated to the corrected releases V5.21(AAZF.17)C0 for NAS326 and V5.21(ABAG.14)C0 for NAS542; the CVE entry itself is flagged as unsupported when assigned, indicating the devices are beyond the vendor’s support lifecycle.
The associated EPSS score has reached a peak of 0.4760 with a current value of 0.4371, indicating substantial and sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26948
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a…
more
crafted configuration file to a vulnerable device.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.