Popular NAS vendor issues emergency patch against potentially highly damaging vulnerabilities — here's what you need to know

By Wayne Williams published 11 February 2024

QNAP says this is a proactive measure, but you need to take it seriously

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: QNAP)

NAS vendor QNAP Systems has urgently issued patches for no fewer than 24 vulnerabilities across its product range, including two high-severity flaws that could enable command execution.

Despite the severity of these vulnerabilities, QNAP has not reported any instances of these bugs being exploited in the wild. The Taiwan-based firm's move is more of a proactive measure against potentially highly damaging exploits.

According to Security Week, the most concerning vulnerabilities, referred to as CVE-2023-45025 and CVE-2023-39297, are OS command injection flaws. These flaws are present in QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, and QuTScloud version 5.x. The first of these can be manipulated by users to execute commands across a network under certain system configurations, while the second requires authentication for successful exploitation.

Patch now!

QNAP has also released patches for two additional vulnerabilities, CVE-2023-47567 and CVE-2023-47568. These remotely exploitable flaws are present in QTS, QuTS hero, and QuTScloud and require administrator authentication for successful exploitation. The former is an OS command injection, while the latter is an SQL injection vulnerability.

All four of these security defects have been addressed in the latest QTS, QuTS hero, and QuTScloud versions. Another high-severity vulnerability, CVE-2023-47564, affecting Qsync Central versions 4.4.x and 4.3.x, has also been patched. This bug could allow authenticated users to read or modify critical resources over a network.

In addition to these high-severity flaws, QNAP has patched multiple medium-severity vulnerabilities that could lead to code execution, DoS attacks, command execution, restrictions bypass, leakage of sensitive data, and code injection.

For more detailed information on these vulnerabilities, users are advised to visit QNAP’s security advisories page.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

More from TechRadar Pro

These are the best NAS devices
While these are the best NAS hard drives
QNAP urges customers to update now to stay safe from dangerous security flaw

Wayne Williams

Social Links Navigation

Editor

Wayne Williams is a freelancer writing news for TechRadar Pro. He has been writing about computers, technology, and the web for 30 years. In that time he wrote for most of the UK’s PC magazines, and launched, edited and published a number of them too.