CVE-2024-29973
The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- March 22, 2024
- Published Date
- June 04, 2024
- Last Updated
- August 02, 2024
- Vendor
- Zyxel
- Product
- NAS326 firmware, NAS542 firmware
- Description
- The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
- Tags
- Score
- 93.70% (Percentile: 99.84%) as of 2025-06-12
- Exploitation
- poc
- Automatable
- Yes
- Technical Impact
- total
- Exploited in the Wild
- Yes (2025-05-15 00:00:00 UTC) Source
CVSS Scores
CVSS v3.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-15 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-29973.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
RevoltSecurities/CVE-2024-29973
Type: github • Created: 2024-06-21 15:20:52 UTC • Stars: 7
k3lpi3b4nsh33/CVE-2024-29973
Type: github • Created: 2024-06-20 01:52:35 UTC • Stars: 10
bigb0x/CVE-2024-29973
Type: github • Created: 2024-06-19 10:34:56 UTC • Stars: 8
momika233/CVE-2024-29973
Type: github • Created: 2024-06-19 09:28:46 UTC • Stars: 3
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel