The Shadowserver Foundation has warned of a surge in cyberattacks targeting end-of-life Zyxel NAS devices, exploiting recently disclosed vulnerabilities.

The organization said that its monitoring systems identified multiple remote command execution attempts orchestrated by a “Mirai-like botnet.”

These attacks come just weeks after three high-severity Zyxel NAS vulnerabilities were publicly disclosed. Shadowserver said that the flaw under attacks is CVE-2024-29973, an OS command injection flaw that allows remote command execution. The vulnerability affects Zyxel NAS326 and NAS542 devices.

Besides CVE-2024-29973, Zyxel’s advisory mentions two more high-severity vulnerabilities – CVE-2024-29972 and CVE-2024-29974. CVE-2024-29972 is another command injection issue, while CVE-2024-29974 is an arbitrary file upload flaw that could be used to compromise the target system via a malicious file.

Shadowserver highlighted only CVE-2024-29973 in its advisory, so it appears that CVE-2024-29972 and CVE-2024-29974 have not yet been weaponized by threat actors.

Users of impacted Zyxel NAS326 and Zyxel NAS542 devices are recommended to install the V5.21(AAZF.17)C0 and the  V5.21(ABAG.14)C0 patch, respectively, as soon as possible, or upgrade their devices if possible.