QNAP has published a security advisory about two critical vulnerabilities that could allow remote attackers to execute commands via a network.
One of the vulnerabilities affects the QTS and QuTS operating systems (OS) for QNAP’s network attached storage systems (NAS). The second one can be found in versions of QTS, the Multimedia Console, and the Media Streaming add-on.
The first vulnerability, CVE-2023-23368 (CVSS score 9.8 out of 10), is an OS command injection vulnerability.
OS command injection (also known as shell injection) is a security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the device that is running an application, and typically fully compromise the application and all its data.
A fix is available for the vulnerability in the following versions:
To update QTS, QuTS hero, or QuTScloud you can:
If that doesn’t work for you, you can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
The second vulnerability, CVE-2023-23369 (CVSS score 9 out of 10), is also an OS command injection vulnerability that reportedly affects several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
A fix for the vulnerability is available for the following versions:
To update the Multimedia Console:
To update the Media Streaming add-on:
Extra tip: while you are logged in as an administrator consider whether your password is strong enough. On October 19, 2023 QNAP reported a significant wave of weak password attacks. NAS owners are one of the most common targets of ransomware attacks against consumers.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.