QNAP and Veritas dump 30-plus vulns over the weekend

November 26, 2024 at 05:33AM QNAP addressed 24 vulnerabilities in its products, with two critical and nine high-severity flaws identified. The most affected was the Notes Station 3 app. Meanwhile, Veritas disclosed seven critical vulnerabilities in its Enterprise Vault software, with patches expected long-term, raising concerns about security management and response efficiency. ### Meeting Takeaways … Read more

Synology hurries out patches for zero-days exploited at Pwn2Own

November 1, 2024 at 12:40PM Synology quickly addressed two critical zero-click vulnerabilities found in its Synology Photos and BeePhotos software during the Pwn2Own 2024 competition. Users are urged to update their systems to prevent remote code execution attacks. Similar vulnerabilities were also patched by QNAP, highlighting ongoing security risks for exposed NAS devices. **Meeting Takeaways:** … Read more

Researchers call out QNAP for dragging its heels on patch development

May 20, 2024 at 10:07AM QNAP’s vulnerabilities disclosed by watchTowr revealed 15 issues, with only 4 addressed. Six are accepted with no available patches, while the rest are still under embargo or have no solution. QNAP has a history of ransomware attacks and slow patching. CVE-2024-27130, with potential RCE, remains unpatched despite being acknowledged by … Read more

92K D-Link NAS Devices Open to Critical Command-Injection Bug

April 9, 2024 at 12:40PM A critical flaw in several end-of-life models of D-Link NAS devices, tracked as CVE-2024-3273, allows attackers to backdoor the devices, potentially accessing sensitive information and enabling other nefarious activities. D-Link advises retiring and replacing affected devices as they will no longer receive updates or support. Use unique passwords and enable … Read more

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks

April 8, 2024 at 06:23PM Attackers target over 92,000 unpatched end-of-life D-Link NAS devices with a critical remote code execution vulnerability. Exploiting a hardcoded account and command injection flaw, threat actors deploy a Mirai malware variant to create botnets for large-scale DDoS attacks. D-Link has ceased support for these devices, advising owners to retire or … Read more

Over 92,000 exposed D-Link NAS devices have a backdoor account

April 6, 2024 at 12:04PM A threat researcher disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) models, impacting their security. The flaw allows remote execution of arbitrary commands and affects over 92,000 vulnerable devices. D-Link has confirmed the end of support for these devices and … Read more

Critical Vulnerability Allows Access to QNAP NAS Devices

March 11, 2024 at 10:03AM Over the weekend, Taiwan-based QNAP Systems announced patches for critical vulnerabilities in several products, such as QTS, QuTS hero, and QuTScloud. The flaws could enable unauthenticated access to network-attached storage (NAS) devices. CVE-2024-21899 poses a high risk, while CVE-2024-21900 and CVE-2024-21901 present medium risks, requiring authentication for exploitation. QNAP also … Read more

QNAP vulnerability disclosure ends up an utter shambles

February 13, 2024 at 03:05PM QNAP has disclosed and patched two vulnerabilities, including a zero-day, affecting its NAS devices. The severity of the issues is disputed, with QNAP rating one as mid-level and Unit 42 as a critical threat. The vulnerabilities can lead to remote code execution and affect numerous devices, with specific patch recommendations … Read more