CVE-2024-29972 Write Up
This time I will share an article about findings I found on a website that is vulnerable to the CVE-2024-29972 vulnerability. okay, let’s get straight to it.
Details Information Vulnerability:
A command injection vulnerability exists in the remote_help-cgi
component of Zyxel NAS326 firmware versions prior to V5.21(AAZF.17)C0 and NAS542 firmware versions prior to V5.21(ABAG.14)C0. This flaw could potentially allow unauthenticated attackers to run arbitrary operating system commands by submitting a specially crafted HTTP POST request.
CVSS Vector |
---|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Proof of Concept (PoC):
- Vulnerability Path
- Payload
Impact:
The most severe impact of this vulnerability is the potential for an unauthenticated attacker to gain remote control over the affected device. By executing arbitrary operating system commands, the attacker could manipulate system files, install malicious software, extract sensitive data, or disrupt the functionality of the device, which could lead to a complete system compromise and unauthorized access to the network.