A recent security threat has been identified targeting Zyxel Network Attached Storage (NAS) devices across Europe. Outpost24 Vulnerability Research Department reported three critical vulnerabilities in Zyxel’s NAS-running endpoints in March 2024. These vulnerabilities, tracked as CVE-2024-29973 (Python Code Injection Vulnerability), CVE-2024-29972 (NsaRescueAngel Backdoor Account), and CVE-2024-29974 (Persistent Remote Code Execution Vulnerability), have a high severity rating with a CVSS score of 9.8.
Specifically, the outdated Zyxel NAS models affected by these vulnerabilities are NAS326 (versions before V5.21(AAZF.16)C0) and NAS542 (versions before V5.21(ABAG.13)C0). Despite reaching their end-of-life, these models were patched by Zyxel due to extended warranty agreements with some organizations.
The vulnerabilities are being exploited by a Mirai-like botnet, allowing threat actors to gain root privileges, execute malicious code, steal sensitive data, and install malware on the affected devices. The security threats monitor Shadowserver Foundation reported that threat actors are scanning for CVE-2024-29973 to assemble endpoints into a botnet. IBM X-Force discovered this remote code injection flaw last year, following Zyxel’s patching of CVE-2023-27992.
When compromised, these devices can become part of a botnet used to launch Distributed Denial of Service (DDoS) attacks against critical infrastructure or businesses. Europe is particularly at risk, with 1,194 exposed Zyxel devices, including a significant number in countries like Italy, Russia, Hungary, and Germany.
Outpost24 security researcher Timothy Hjort highlighted a security flaw that occurred during the patching process for CVE-2023-27992, where a new endpoint was added but implemented “the same mistakes as its predecessors.” It is crucial for users of Zyxel NAS devices to secure their systems by identifying their model and version, downloading and installing the latest security patches, and considering disabling remote access.
In the larger context of cybersecurity threats, cybercriminals frequently target NAS devices from various manufacturers such as Zyxel, D-Link, and QNAP due to their importance for organizations and common misconfigurations. Recently, a high-severity security vulnerability affecting thousands of D-Link NAS devices was disclosed, allowing for malicious code execution, data theft, and DoS attacks.
To mitigate the risks posed by these vulnerabilities, it is essential for organizations and individuals to stay informed about security updates, patch their systems promptly, and follow best practices for securing network-attached storage devices. By taking proactive steps to secure their NAS devices, users can protect themselves against potential hijacking and DDoS attacks orchestrated by cybercriminals exploiting known vulnerabilities.