Fixes have been issued by Taiwanese networking device manufacturer Zyxel to address five security vulnerabilities impacting its NAS326 and NAS542 network-attached storage devices that have not been supported since the end of 2023, including three critical flaws that could be exploited to facilitate remote code execution and command injection attacks, according to The Register.
Included in the addressed critical bugs were a backdoor account within the "NsaRescueAngel" firmware, tracked as CVE-2024-29972; a Python code injection issue, tracked as CVE-2024-29973, stemming from the remediation of another critical flaw; and an RCE vulnerability enabling increased persistence, tracked as CVE-2024-29974, according to Zyxel and Outpost24 vulnerability research intern Timothy Hjort, who discovered the security issues. Zyxel also patched the medium-severity privileged escalation flaws, tracked as CVE-2024-29975 and CVE-2024-29976.
No information was given by both Zyxel and Hjort regarding the active exploitation of all of the addressed flaws.