NAS vendor QNAP Systems has urgently issued patches for more than two dozen vulnerabilities across its product range, including two high-severity flaws that could allow command execution.
Despite the severity of these vulnerabilities, QNAP has not reported any instances of these bugs being exploited in the wild. The Taiwan-based company's move is a proactive measure against a potentially costly exploit.
According to Security Week, the most concerning vulnerabilities, called CVE-2023-45025 and CVE-2023-39297, are OS command injection flaws. These flaws exist in QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, and QuTScloud version 5.x. The first of these allows user interaction under certain system configurations to execute commands over the network, while the second requires authentication for successful exploitation.
QNAP has also released patches for two additional vulnerabilities, CVE-2023-47567 and CVE-2023-47568. These remotely exploitable flaws exist in QTS, QuTS hero, and QuTScloud and require administrator authentication for successful exploitation. The former is an OS command injection vulnerability, and the latter is an SQL injection vulnerability.
All four of these security flaws have been resolved in the latest QTS, QuTS hero, and QuTScloud versions. Another high-severity vulnerability, CVE-2023-47564, affecting Qsync Central versions 4.4.x and 4.3.x has also been patched. This bug could allow an authenticated user to read or modify sensitive resources over the network.
In addition to these high-severity flaws, QNAP has fixed multiple medium-severity vulnerabilities that could lead to code execution, DoS attacks, command execution, restriction bypass, sensitive data disclosure, and code injection. did.
For more information about these vulnerabilities, we recommend visiting QNAP's security advisory page.