QNAP, has issued a security warning with an urgent security advisory to its users concerning multiple severe vulnerabilities across its suite of NAS software products. These flaws, if exploited, could enable attackers to perform unauthorized actions such as bypassing authentication mechanisms and executing commands remotely.
The first two vulnerabilities tracked as CVE-2024-27124 with a CVSS score of 7.5 and CVE-2024-32766 with a CVSS score 10, are an OS command injection, a technique where attackers can send malicious commands to a vulnerable system, allowing them to run arbitrary code. This could lead to data theft, installation of malware, or a complete NAS takeover.
The third vulnerability tracked as CVE-2024-32764 with a CVSS score of 9.9 A dangerous flaw permitting unauthorized access to critical functions within the myQNAPcloud Link service.
QNAP urges all users to update their devices immediately to the following versions, which contain the necessary security patches:
- QTS 5.1.3.2578 build 20231110 and later
- QTS 4.5.4.2627 build 20231225 and later
- QuTS hero h5.1.3.2578 build 20231110 and later
- QuTS hero h4.5.4.2626 build 20231225 and later
- QuTScloud c5.1.5.2651 and later
- myQNAPcloud 1.0.52 (2023/11/24) and later
- myQNAPcloud Link 2.4.51 and later
