QNAP has warned its customers earlier this week that some of its NAS devices with non-default configurations are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing RCE
A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to gain remote code execution. To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.QNAP advisory statement
QNAP has already patched the security flaw CVE-2019-11043 for some operating system versions exposed to attacks (QTS 184.108.40.2064 build 20220515 or later and QuTS hero h220.127.116.119 build 20220614 or later).
This bug affects a wide range of devices running:
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
Updating QTS, QuTS hero, or QuTScloud
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.
You can also manually upgrade your device after downloading the update on the QNAP website from Support > Download Center.