Mirai-like botnet is exploiting recently disclosed Zyxel NAS flaw

Pierluigi Paganini June 25, 2024

Researchers warn that a Mirai-based botnet is exploiting a recently disclosed critical vulnerability in EoL Zyxel NAS devices.

Researchers at the Shadowserver Foundation warn that a Mirai-based botnet has started exploiting a recently disclosed vulnerability tracked as CVE-2024-29973 (CVSS score 9.8) in end-of-life NAS devices Zyxel NAS products.

The flaw is a command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0. An unauthenticated attacker can exploit the flaw to execute some operating system (OS) commands by sending a crafted HTTP POST request.

The vulnerability affects NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.

The vulnerability stems from the fix for another code injection issue tracked as CVE-2023-27992 that was addressed in June 2023.

Now the researchers at the Shadowserver Foundation reported that they have started observing exploitation attempts for this vulnerability by a Mirai-like botnet. The experts urge a replacement of the EoL devices and pointed out that PoC exploit code is publicly available.

… and consider a replacement for these now unsupported devices!

NVD entry: https://t.co/aqx6xPhdYB

Vulnerability/exploit details are public.
— The Shadowserver Foundation (@Shadowserver) June 21, 2024

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)

botnet Cybercrime Hacking hacking news information security news IT Information Security malware Mirai Pierluigi Paganini Security Affairs Security News ZYXEL

Pierluigi Paganini July 26, 2025

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

Pierluigi Paganini July 26, 2025