Pierluigi Paganini June 25, 2024

Researchers warn that a Mirai-based botnet is exploiting a recently disclosed critical vulnerability in EoL Zyxel NAS devices.

Researchers at the Shadowserver Foundation warn that a Mirai-based botnet has started exploiting a recently disclosed vulnerability tracked as CVE-2024-29973 (CVSS score 9.8) in end-of-life NAS devices Zyxel NAS products.

The flaw is a command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0. An unauthenticated attacker can exploit the flaw to execute some operating system (OS) commands by sending a crafted HTTP POST request.

The vulnerability affects NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.

The vulnerability stems from the fix for another code injection issue tracked as CVE-2023-27992 that was addressed in June 2023.

Now the researchers at the Shadowserver Foundation reported that they have started observing exploitation attempts for this vulnerability by a Mirai-like botnet. The experts urge a replacement of the EoL devices and pointed out that PoC exploit code is publicly available.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)