QNAP – Qualys ThreatPROTECT

QNAP Patches Critical Vulnerabilities Impacting NAS Devices (CVE-2024-21899, CVE-2024-21900, & CVE-2024-21901)

Posted by Diksha Ojha on March 11, 2024

Multiple NAS devices, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, are vulnerable to three critical severity flaws. Tracked as CVE-2024-21899, CVE-2024-21900, & CVE-2024-21901, the vulnerabilities could allow authenticated administrators to inject malicious code via a network that compromises the system’s security.

QNAP QTS OS Command Injection Vulnerabilities (CVE-2023-47218 & CVE-2023-50358)

Posted by Diksha Ojha on February 16, 2024February 16, 2024

Two OS command injection vulnerabilities impact the operating systems embedded in the firmware of QNAP’s popular network-attached storage (NAS) devices. Tracked as CVE-2023-47218 and CVE-2023-50358, the vulnerabilities may allow users to execute commands via a network. The vulnerabilities affect QNAP operating systems such as QTS, QuTS Hero, and QuTS Cloud. CVE-2023-47218 can be exploited by … Continue reading “QNAP QTS OS Command Injection Vulnerabilities (CVE-2023-47218 & CVE-2023-50358)”

QNAP QTS Command Injection Vulnerabilities (CVE-2023-23368 & CVE-2023-23369)

Posted by Diksha Ojha on November 8, 2023November 9, 2023

QNAP has released security advisories to address command injection vulnerabilities in multiple QNAP operating system versions. Tracked as CVE-2023-23368 and CVE-2023-23369, the vulnerabilities are rated as critical with a CVSS score of 9.8 and 9, respectively. Successful exploitation of the vulnerabilities may allow a remote attacker to execute commands via a network.

QSnatch malware aka “Derek” multiple vulnerabilities

Posted by Dhiren Vaghela on July 29, 2020May 26, 2021

In mid-June 2020, QNAP devices were found to be vulnerable to older Qsnatch malware campaigns of 2014 and 2017. Description The vulnerabilities due to Qsnatch has high to critical impact on QNAP NAS devices. A joint advisory published by CISA and NCSC says that “it has infected 62,000 devices worldwide, including 3900 in the UK … Continue reading “QSnatch malware aka “Derek” multiple vulnerabilities”

QNAP Pre-Auth Root RCE Vulnerability(CVE-2019-7192,CVE-2019-7193,CVE-2019-7194,CVE-2019-7195)

Posted by Pallavi Pangavhane on May 20, 2020June 6, 2020

Overview In 2019, multiple vulnerabilities had discovered for QNAP PhotoStation and CGI programs. These vulnerabilities can be chained into a pre-auth root Remote Code Execution. More than 450K devices using QNAP PhotoStation and CGI programs are vulnerable to attack. Vulnerability 1: Pre-Auth Local File Disclosure Vulnerable code present in following function, After execution of exportfile … Continue reading “QNAP Pre-Auth Root RCE Vulnerability(CVE-2019-7192,CVE-2019-7193,CVE-2019-7194,CVE-2019-7195)”