Jump to content

QNAP warns its NAS devices are facing a critical security flaw — but a patch is available, so update now

Recommended Posts


QNAP is sounding the alarm on its NAS devices, saying they’re vulnerable to flaws that could result in dangerous cyberattacks.

The company has said some of its QTS, QuTS hero, QuTScloud, and myQNAPcloud products were vulnerable to three distinct flaws, one of which was particularly dangerous.

That flaw is tracked as CVE-2024-21899, and described as an improper authentication mechanism. Hackers can use this vulnerability, the company explained, to remotely compromise the target system’s security, through the network. The other two vulnerabilities are tracked as CVE-2024-21900, and CVE-2024-21901. The former allows for arbitrary command execution, while the latter malicious SQL code injection. The difference between these two, and the first one, is that only the first one can be abused remotely, and without the need for authentication upfront.

Patch, or face the consequences

The versions of QNAP’s operating system vulnerable to these flaws are QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.

To defend against potential attackers, QNAP NAS users are advised to upgrade their instances to these versions:

QTS build 20231110 and later
QTS build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
myQNAPcloud 1.0.52 (2023/11/24) and later

QNAP’s NAS devices are popular among SMBs, which makes them a major target for cybercrooks. The Taiwanese manufacturer often discovers, and patches, high severity and critical vulnerabilities, and users are advised to keep track and apply the patch at the earliest moment. 

Roughly a month ago, QNAP patched 24 vulnerabilities across its product range, including two high-severity flaws that could enable command execution, and in late January, QNAP patched a dangerous flaw affecting QTS 5.0.1 and QuTS hero h.5.0.1.

Via BleepingComputer

More from TechRadar Pro

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...