May 22, 2024 at 01:33AM QNAP has addressed medium-severity security flaws in its QTS and QuTS hero, including permissions, code execution, and buffer overflow vulnerabilities. Fixes have been released, credited to Aliz Hammond of watchTowr Labs. Although some issues remain outstanding, QNAP has committed to improving coordination with researchers and enhancing security measures for its … Read more
May 20, 2024 at 10:07AM QNAP’s vulnerabilities disclosed by watchTowr revealed 15 issues, with only 4 addressed. Six are accepted with no available patches, while the rest are still under embargo or have no solution. QNAP has a history of ransomware attacks and slow patching. CVE-2024-27130, with potential RCE, remains unpatched despite being acknowledged by … Read more
March 11, 2024 at 10:03AM Over the weekend, Taiwan-based QNAP Systems announced patches for critical vulnerabilities in several products, such as QTS, QuTS hero, and QuTScloud. The flaws could enable unauthenticated access to network-attached storage (NAS) devices. CVE-2024-21899 poses a high risk, while CVE-2024-21900 and CVE-2024-21901 present medium risks, requiring authentication for exploitation. QNAP also … Read more
March 8, 2024 at 03:07PM QNAP has warned of vulnerabilities in its NAS software, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, which could grant unauthorized access to devices. The flaws include an authentication bypass, command injection, and SQL injection, affecting various operating systems. Users are advised to upgrade to specific versions to address the vulnerabilities … Read more
February 13, 2024 at 03:05PM QNAP has disclosed and patched two vulnerabilities, including a zero-day, affecting its NAS devices. The severity of the issues is disputed, with QNAP rating one as mid-level and Unit 42 as a critical threat. The vulnerabilities can lead to remote code execution and affect numerous devices, with specific patch recommendations … Read more
January 8, 2024 at 09:54AM QNAP Systems has released patches for a dozen vulnerabilities, including high-severity flaws affecting its operating system and products like QTS, QuTS hero, Video Station, and QuMagie. These vulnerabilities could allow remote attackers to execute arbitrary code, perform SQL injection and OS command injection, and exploit cross-site scripting flaws. Details can … Read more
December 22, 2023 at 06:45AM CISA released advisories for ICS vulnerabilities affecting FXC routers and QNAP NVR devices, exploited in the wild. The FXC flaw allows remote code execution via NTP server settings, affecting outlet wall routers in Japan. QNAP’s vulnerability, patched years ago, is being exploited by a Mirai-based malware campaign targeting legacy models. … Read more
November 6, 2023 at 01:00PM QNAP has released security updates to address two critical vulnerabilities in its operating system. The first vulnerability, tracked as CVE-2023-23368, is a command injection bug affecting QTS, QuTS hero, and QuTScloud. The second vulnerability, CVE-2023-23369, is a command injection flaw in QTS, Multimedia Console, and Media Streaming add-on. Users are … Read more
November 6, 2023 at 07:52AM QNAP Systems has issued security advisories regarding two critical command injection vulnerabilities in its QTS operating system and applications for network-attached storage (NAS) devices. The flaws, tracked as CVE-2023-23368 and CVE-2023-23369, can be exploited remotely by attackers. Multiple QTS versions are affected, but fixes are available for download. Admins are … Read more
October 23, 2023 at 09:25AM QNAP has successfully taken down a malicious server used in widespread brute-force attacks on NAS devices with weak passwords. With the help of Digital Ocean, they quickly identified and blocked the command-and-control server within 48 hours. QNAP urges customers to implement security measures, including changing default access port numbers and … Read more