CVE-2024-29974 – This critical vulnerability allows unauthentica... (How to Fix)

Q: What is the severity of CVE-2024-29974?

CVE-2024-29974 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected Zyxel NAS devices by uploading a crafted configuration file to the vulnerable CGI program. It affects Zyxel NAS326 and NAS542 devices running outdated firmware versions. Attackers can gain full control of the device without any authentication.

📋 TL;DR

This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected Zyxel NAS devices by uploading a crafted configuration file to the vulnerable CGI program. It affects Zyxel NAS326 and NAS542 devices running outdated firmware versions. Attackers can gain full control of the device without any authentication.

💻 Affected Systems

Products:

Zyxel NAS326
Zyxel NAS542

Versions: NAS326 firmware before V5.21(AAZF.17)C0, NAS542 firmware before V5.21(ABAG.14)C0

Operating Systems: Embedded Linux (Zyxel NAS firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default CGI program 'file_upload-cgi' which is typically enabled. No special configuration required for exploitation.

📦 What is this software?

Nas326 Firmware by Zyxel

View all CVEs affecting Nas326 Firmware →

Nas542 Firmware by Zyxel

View all CVEs affecting Nas542 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the NAS device leading to data theft, ransomware deployment, lateral movement to connected systems, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to steal sensitive data, install malware, or use the device as a foothold for further attacks.

🟢

If Mitigated

Limited impact if device is isolated, patched, or has strict network access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Unauthenticated RCE with CVSS 9.8 score makes internet-facing devices extremely vulnerable to widespread exploitation.

🏢 Internal Only: HIGH - Even internally, unauthenticated RCE allows any network user to compromise the device and potentially pivot to other systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in security advisories. Simple file upload leads to RCE without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NAS326: V5.21(AAZF.17)C0 or later, NAS542: V5.21(ABAG.14)C0 or later

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Log into NAS web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload and apply the firmware file. 5. Device will reboot automatically.

🔧 Temporary Workarounds

Disable CGI access via firewall

linux

Block external access to the vulnerable CGI endpoint using network firewall rules.

iptables -A INPUT -p tcp --dport 80 -m string --string "file_upload-cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "file_upload-cgi" --algo bm -j DROP

Remove CGI file

linux

Delete or rename the vulnerable CGI program file if not needed.

rm /path/to/file_upload-cgi
mv /path/to/file_upload-cgi /path/to/file_upload-cgi.disabled

🧯 If You Can't Patch

Immediately isolate the NAS device from internet access and restrict network access to trusted IPs only.
Implement strict file upload filtering and monitoring for any configuration file upload attempts.

🔍 How to Verify

Check if Vulnerable:

Check firmware version in NAS web interface under Maintenance > System Information. Compare against patched versions.

Check Version:

ssh admin@nas-ip 'cat /etc/version' or check web interface

Verify Fix Applied:

Confirm firmware version shows V5.21(AAZF.17)C0 or later for NAS326, or V5.21(ABAG.14)C0 or later for NAS542.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to CGI endpoints
Unexpected process execution from CGI context
Failed authentication attempts followed by successful file upload

Network Indicators:

HTTP POST requests to /cgi-bin/file_upload-cgi with unusual file extensions
Outbound connections from NAS to unknown IPs

SIEM Query:

source="nas_logs" AND (uri="/cgi-bin/file_upload-cgi" OR process="file_upload-cgi")

📊 Metadata

CVE ID: CVE-2024-29974

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 4, 2024

Last Updated: January 22, 2025

🔗 References

https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/ Exploit,Third Party Advisory
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024 Vendor Advisory
https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/ Exploit,Third Party Advisory
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29974, you might also want to check these: