QNAP warns its NAS devices are facing a critical security flaw — but a patch is available, so update now

QNAP
(Image credit: QNAP)

QNAP is sounding the alarm on its NAS devices, saying they’re vulnerable to flaws that could result in dangerous cyberattacks.

The company has said some of its QTS, QuTS hero, QuTScloud, and myQNAPcloud products were vulnerable to three distinct flaws, one of which was particularly dangerous.

That flaw is tracked as CVE-2024-21899, and described as an improper authentication mechanism. Hackers can use this vulnerability, the company explained, to remotely compromise the target system’s security, through the network. The other two vulnerabilities are tracked as CVE-2024-21900, and CVE-2024-21901. The former allows for arbitrary command execution, while the latter malicious SQL code injection. The difference between these two, and the first one, is that only the first one can be abused remotely, and without the need for authentication upfront.

Patch, or face the consequences

The versions of QNAP’s operating system vulnerable to these flaws are QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and the myQNAPcloud 1.0.x service.

To defend against potential attackers, QNAP NAS users are advised to upgrade their instances to these versions:

QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
myQNAPcloud 1.0.52 (2023/11/24) and later

QNAP’s NAS devices are popular among SMBs, which makes them a major target for cybercrooks. The Taiwanese manufacturer often discovers, and patches, high severity and critical vulnerabilities, and users are advised to keep track and apply the patch at the earliest moment. 

Roughly a month ago, QNAP patched 24 vulnerabilities across its product range, including two high-severity flaws that could enable command execution, and in late January, QNAP patched a dangerous flaw affecting QTS 5.0.1 and QuTS hero h.5.0.1.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.