QNAP has identified and resolved a critical vulnerability in its QTS, QuTScloud, QuTS hero, and myQNAPcloud products. Customers should update their QNAP NAS devices to the latest firmware to patch the vulnerability.
The vulnerability in question,CVE-2024-21899, could allow bad actors to bypass authentication and remotely access a network. It’s a “low complexity” vulnerability, meaning that it’s easy to exploit, and it carries a CVSS score of 9.8.
Two medium-severity vulnerabilities have also been patched by QNAP. Tracked asCVE-2024-21900andCVE-2024-21901, the vulnerabilities allow authenticated users to execute arbitrary code or inject SQL through a network. Neither CVE-2024-21900 nor CVE-2024-21901 are critical vulnerabilities, though they could be used in conjunction with CVE-2024-21899 to form an aggressive attack across a network.
It seems that none of the listed vulnerabilities have been used in the wild. However, real-world attacks may occur if customers fail to update their QNAP systems.
In any case, these vulnerabilities affect several versions of QNAP’s operating system. If your QNAP NAS is running QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, or myQNAPcloud 1.0.x, you need to upgrade to one of the following firmware versions:
Log into your QNAP device as an administrator and open the Control Panel to perform a firmware update. If you’re working with myQNAPcloud, you need to open the App Center and search for “myQNAPcloud” to install the latest firmware.
Note that you can always visit QNAP’sproduct support status pageto see the latest updates for your NAS device. QNAP recommends regularly updating your system to patch zero-day vulnerabilities and other exploits. This is important even when remote access is disabled on your NAS.
Additional information is available on QNAP’sAlerts page. If you’re using QNAP in an enterprise setting, I suggest that you regularly visit the Alerts page to keep up with new vulnerabilities and install critical updates.
