"NsaRescueAngel Backdoor Account Again Discovered in Zyxel Products"

Taiwan-based networking device manufacturer Zyxel recently announced three critical severity vulnerabilities in two discontinued NAS products that could lead to command injection and arbitrary code execution.  The first two flaws tracked as CVE-2024-29972 and CVE-2024-29973, are command injection bugs that can be exploited without authentication via crafted HTTP POST requests.  Another unauthenticated issue, CVE-2024-29974, could allow attackers to execute arbitrary code by uploading crafted configuration files.  Zyxel says the impacted products NAS326 and NAS542 were discontinued in December 2023.  The company noted that due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, they have made patches available to customers with extended support despite the products already having reached end-of-vulnerability-support.  The bugs were reported to Zyxel in March 2024.  The vulnerabilities were discovered by Timohty Hjort, who explained in a technical write up that CVE-2024-29972 allows an attacker to enable a backdoor account that has root privileges.  This account enables a full compromise of the targeted device.  The backdoor account, named "NsaRescueAngel," was first discovered several years ago.  Zyxel reportedly removed it in 2020, but the researcher says it has been re-enabled at some point.  NAS326 users are advised to update to firmware version V5.21(AAZF.17)C0, and NAS542 users should update to firmware version V5.21(ABAG.14)C0 as soon as possible.

SecurityWeek reports: "NsaRescueAngel Backdoor Account Again Discovered in Zyxel Products"