CVE-2024-29976

moderate-risk

Published 2024-06-04

** UNSUPPORTED WHEN ASSIGNED ** The improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

Do I need to act?

5.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Nas326 Firmware

Nas542 Firmware

Affected Vendors

Zyxel

References (4)

Exploit https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

Vendor Advisory https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advis...

Exploit https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

Vendor Advisory https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advis...

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 9/34 · Low

Exposure 7/34 · Low