QNAP patches worrying NAS security flaw, so update now

News
By published

There is a way to execute arbitrary commands on a QNAP device, the company confirms

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Top NAS device manufacturer QNAP has fixed a high-severity vulnerability which allowed threat actors to execute arbitrary commands on target endpoints.

This zero-day flaw was described as an OS command injection weakness, plaguing the company’s disaster recovery and data backup solution called HBS 3 Hybrid Backup Sync. Versions 25.1.x were said to be vulnerable.

The bug is tracked as CVE-2024-50388, and is yet to be given a severity score.

"An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," the company said in a follow-up security advisory.

Pwn2Own

If your organization is using these devices, make sure to upgrade to the latest version as soon as possible - to protect against potential compromise, make sure to get your HBS 3 Backup Sync to versions 25.1.1.673, or newer.

Updating can be done through the NAS device, by logging into QTS or QuTS hero as admin, navigating to the App Center, navigating to “HBS 3 Hybrid Backup Sync”, and looking for the “Update” button. If it’s not available, that means the tool is up to date.

The vulnerability was first discovered during the Pwn2Own Ireland 2024 hackathon, when two Viettel Cyber Security researchers, Ha The Long, and Ha Anh Hoang, used it to execute arbitrary code and gain admin privileges on a TS-464 NAS device. The team ended up winning the hackathon.

QNAP is one of the world’s most popular manufacturers of NAS devices, and as such is a major target for cybercriminals. NAS devices are often used to store sensitive personal files which, if stolen, can be used as leverage in an extortion attempt. QNAP often releases patches to address different vulnerabilities, and it would be wise to keep these instances updated at all times.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Digital image of a lock.
QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
More about security
Google Chrome

Google Chrome security flaw could have let hackers spy on all your online habits
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Broadcom warns of worrying security flaws affecting VMware tools
Apple MacBook Air M3 on yellow background with lowest price text overlay

Need a new MacBook Air? Well I've found 9 discounts you'll not want to miss, including a MacBook Air M4 Amazon deal
See more latest
Most Popular
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
Render of a new RTX 4000 Max-Q gaming laptop.
I can't say I'm surprised, but Nvidia's RTX 5090 laptop GPU has a big performance leap over its predecessor, according to early benchmarks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Apple Music on a tablet, showing a new Listening Guide feature
Apple Music Classical just got 3 excellent perks in its biggest upgrade since launch
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Quick move in Civ 7.
Sid Meier's Civilization 7 update 1.1.1 is here and it finally adds a setting that I've wanted since day one
A green claw wraps around the carcass of a monster
Is Lagiacrus coming to Monster Hunter Wilds? Some fans are convinced, and here's why
Gemini on a smartphone.
Gemini 2.5 is now available for Advanced users and it seriously improves Google’s AI reasoning
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC