漏洞描述
Zyxel NAS542和Zyxel NAS326都是中国合勤(Zyxel)公司的产品。Zyxel NAS542是一款NAS(网络附加存储)设备。Zyxel NAS326是一款云存储 NAS。Zyxel NAS326 V5.21(AAZF.17)C0之前版本、NAS542 V5.21(ABAG.14)C0之前版本存在操作系统命令注入漏洞,该漏洞源于setCookie参数中存在命令注入漏洞,从而导致攻击者可通过HTTP POST请求来执行某些操作系统 (OS) 命令。
Zyxel NAS /cmd,/simZysh/register_main/setCookie 命令执行漏洞 CVE-2024-29973
PoC代码
暂无相关漏洞推荐
- POC CVE-2018-19326: Zyxel VMG1312-B10D 5.13AAXA.8 - Local File Inclusion
- POC CVE-2019-12581: Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting
- POC CVE-2019-12583: Zyxel ZyWall UAG/USG - Account Creation Access
- POC CVE-2019-9955: Zyxel - Cross-Site Scripting
- POC CVE-2020-29583: ZyXel USG - Hardcoded Credentials
- POC CVE-2020-9054: Zyxel NAS Firmware 5.21- Remote Code Execution
- POC CVE-2021-3297: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
- POC CVE-2021-46387: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting
- POC CVE-2022-0342: Zyxel - Authentication Bypass
- POC CVE-2022-30525: Zyxel Firewall - OS Command Injection
- POC CVE-2024-29972: Zyxel NAS326 Firmware < V5.21(AAZF.17)C0 - NsaRescueAngel Backdoor Account
- POC CVE-2024-29973: Zyxel NAS326 Firmware < V5.21(AAZF.17)C0 - Command Injection
- POC CVE-2021-3297: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass