QNAP has addressed a critical zero-day vulnerability in its QuRouter network security appliance, exploited by security researchers during the recent Pwn2Own hacking contest in Ireland.
The vulnerability, tracked as CVE-2024-50389 with a CVSS score of 7.8, allowed the Viettel Cyber Security team to compromise a QuRouter devices
QNAP released patches for the affected QuRouter 2.4.x versions, urging users to update to version 2.4.5.032 or later immediately and acknowledged Viettel Cyber Security for responsibly disclosing the vulnerability.
This patch release follows two other zero-day vulnerabilities patched by QNAP last week, also discovered by the same team during Pwn2Own:
- CVE-2024-50388: A flaw in the HBS 3 Hybrid Backup Sync solution that allowed attackers to execute arbitrary commands on a TS-464 NAS device.
- CVE-2024-50387: A critical SQL injection vulnerability in QNAP’s SMB Service.
QNAP has provided clear instructions for updating to the latest firmware version:
- Log in to your QuRouter.
- Go to Firmware.
- Select Update now.
- Select Latest.
- Click Apply and confirm.
