CVE-2024-29972
published 2024-06-04CVE-2024-29972: ** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zyxel | nas326_firmware | < V5.21(AAZF.17)C0 | V5.21(AAZF.17)C0 |
| zyxel | nas326_firmware | < 5.21\(aazf.17\)c0 | 5.21\(aazf.17\)c0 |
| zyxel | nas542_firmware | < V5.21(ABAG.14)C0 | V5.21(ABAG.14)C0 |
| zyxel | nas542_firmware | < 5.21\(abag.14\)c0 | 5.21\(abag.14\)c0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL