QNAP Issues Warning on Critical Command Injection Vulnerabilities in QTS OS and Apps

November 6, 2023

QNAP Systems has released security advisories concerning two critical command injection vulnerabilities that affect numerous versions of the QTS operating system and applications on its network-attached storage (NAS) devices.

The first vulnerability, designated as CVE-2023-23368, carries a critical severity rating of 9.8 out of 10. This command injection vulnerability could be exploited by a remote attacker to execute commands via a network. The QTS versions impacted by this security issue include QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1. Fixes have been made available in subsequent releases.

The second vulnerability, identified as CVE-2023-23369, has a slightly lower severity rating of 9.0 and could also be exploited by a remote attacker in a similar manner to the previous one. The affected QTS versions are 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, Multimedia Console 2.1.x and 1.4.x, and Media Streaming add-on 500.1.x and 500.0.x.

Administrators can update QTS, QuTS hero, or QuTScloud by logging in and navigating to Control Panel > System > Firmware Update, and clicking on 'Check for Update' under Live Update to download and install the latest version. Updates can also be manually downloaded from QNAP's website. Multimedia Console can be updated by finding the installation in the App Center and clicking the 'Update' button (only available if a newer version exists). The process is similar for the Media Streaming add-on, which users can locate by searching the App Center.

NAS devices are typically used for data storage, and command execution flaws can pose a significant threat as cybercriminals often seek new targets to steal and/or encrypt sensitive data from. Attackers can then demand a ransom from the victim to either prevent the data from being leaked or to decrypt it. QNAP devices have previously been targeted in large-scale ransomware attacks. A year ago, the Deadbolt ransomware gang exploited a zero-day vulnerability to encrypt NAS devices exposed on the public internet. Therefore, QNAP users are strongly advised to apply the available security updates as soon as possible.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.