Login Sign Up

CVE-2024-6342

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This is an unauthenticated command injection vulnerability in Zyxel NAS devices that allows remote attackers to execute arbitrary operating system commands. Attackers can exploit it by sending a crafted HTTP POST request to the export-cgi program. All users of affected Zyxel NAS326 and NAS542 firmware versions are vulnerable.

💻 Affected Systems

Products:
  • Zyxel NAS326
  • Zyxel NAS542
Versions: NAS326 through V5.21(AAZF.18)C0, NAS542 through V5.21(ABAG.15)C0
Operating Systems: Zyxel NAS firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the export-cgi program and affects default configurations. Marked as UNSUPPORTED WHEN ASSIGNED by vendor.

📦 What is this software?

Nas326 Firmware by Zyxel

View all CVEs affecting Nas326 Firmware →

Nas326 Firmware by Zyxel

View all CVEs affecting Nas326 Firmware →

Nas542 Firmware by Zyxel

View all CVEs affecting Nas542 Firmware →

Nas542 Firmware by Zyxel

View all CVEs affecting Nas542 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or render the NAS unusable.

🟠

Likely Case

Data theft, ransomware deployment, or use as a foothold for lateral movement within the network.

🟢

If Mitigated

Limited impact if device is isolated behind strict network controls and firewalls.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation with CVSS 9.8 score indicates critical risk for internet-facing devices.
🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows attackers with network access to compromise the device.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Unauthenticated exploitation with simple HTTP POST request makes this easily weaponizable. No public PoC known at advisory time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest patched versions

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-nas-products-09-10-2024

Restart Required: Yes

Instructions:

1. Access Zyxel NAS web interface. 2. Navigate to System > Firmware Update. 3. Check for and apply latest firmware. 4. Reboot device after update.

🔧 Temporary Workarounds

Network Isolation

linux

Block external access to NAS web interface and restrict internal access to trusted IPs only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Web Interface

all

Temporarily disable web management interface if not needed.

Check Zyxel admin interface for web service disable option

🧯 If You Can't Patch

  • Immediately isolate device from internet and restrict network access to minimum required
  • Implement strict network segmentation and monitor for suspicious HTTP POST requests to export-cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in NAS web interface under System > Information

Check Version:

Check via web interface or SSH if enabled: cat /etc/version

Verify Fix Applied:

Confirm firmware version is newer than affected versions listed in advisory

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to export-cgi with unusual parameters
  • Unexpected command execution in system logs
  • Failed authentication attempts followed by POST requests

Network Indicators:

  • HTTP POST to /cgi-bin/export-cgi with command injection patterns
  • Unusual outbound connections from NAS device

SIEM Query:

source="nas_logs" AND (uri="/cgi-bin/export-cgi" OR method="POST" AND uri CONTAINS "export-cgi")

📊 Metadata

CVE ID: CVE-2024-6342
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: September 10, 2024
Last Updated: January 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6342, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)