Connect with us

Hi, what are you looking for?



‘NsaRescueAngel’ Backdoor Account Again Discovered in Zyxel Products

Critical vulnerabilities in discontinued Zyxel NAS products allow unauthenticated attackers to execute arbitrary code and OS commands.

Taiwan-based networking device manufacturer Zyxel on Tuesday warned of three critical-severity vulnerabilities in two discontinued NAS products that could lead to command injection and arbitrary code execution.

Tracked as CVE-2024-29972 and CVE-2024-29973, the first two flaws are command injection bugs that can be exploited without authentication, via crafted HTTP POST requests.

Another unauthenticated issue, CVE-2024-29974, could allow attackers to execute arbitrary code by uploading crafted configuration files.

In its advisory, Zyxel warns that the impacted products – NAS326 and NAS542 – were discontinued in December 2023.

“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support, despite the products already having reached end-of-vulnerability-support,” the company notes.

According to Outpost24 security researcher Timothy Hjort, who discovered and reported the flaws, successful exploitation of these issues could allow an attacker to achieve persistent root access to the vulnerable NAS devices.

CVE-2024-29972, Hjort explains in a technical writeup, allows an attacker to enable a backdoor account that has root privileges. This account enables a full compromise of the targeted device. 

The backdoor account, named ‘NsaRescueAngel’, was first discovered several years ago. It was reportedly removed by Zyxel in 2020, but Outpost24 says it has been re-enabled at some point.

Advertisement. Scroll to continue reading.

The second bug, Hjort says, was introduced last year, when Zyxel rolled out patches for CVE-2023-27992, a pre-authentication command injection in some NAS devices.

As for CVE-2024-29974, it impacts a function for backing up and restoring configuration files, and allows an attacker to achieve persistent code execution on a vulnerable device, Hjort says.

The bugs were reported to Zyxel in March 2024 along with two other vulnerabilities in the two products, tracked as CVE-2024-29975 and CVE-2024-29976, and which could lead to privilege escalation and information disclosure, respectively. The exploitation of both issues requires authentication.

NAS326 users are advised to update to firmware version V5.21(AAZF.17)C0 as soon as possible. NAS542 users should update to firmware version V5.21(ABAG.14)C0.

Related: QNAP Rushes Patch for Code Execution Flaw in NAS Devices

Related: Zyxel Patches Remote Code Execution Bug in Firewall Products

Related: Multiple DDoS Botnets Exploiting Recent Zyxel Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights