Fri. Apr 19th, 2024



QNAP has identified and resolved a critical vulnerability in its QTS, QuTScloud, QuTS hero, and myQNAPcloud products. Customers should update their QNAP NAS devices to the latest firmware to patch the vulnerability.



The vulnerability in question, CVE-2024-21899, could allow bad actors to bypass authentication and remotely access a network. It’s a “low complexity” vulnerability, meaning that it’s easy to exploit, and it carries a CVSS score of 9.8.

Two medium-severity vulnerabilities have also been patched by QNAP. Tracked as CVE-2024-21900 and CVE-2024-21901, the vulnerabilities allow authenticated users to execute arbitrary code or inject SQL through a network. Neither CVE-2024-21900 nor CVE-2024-21901 are critical vulnerabilities, though they could be used in conjunction with CVE-2024-21899 to form an aggressive attack across a network.

It seems that none of the listed vulnerabilities have been used in the wild. However, real-world attacks may occur if customers fail to update their QNAP systems.


In any case, these vulnerabilities affect several versions of QNAP’s operating system. If your QNAP NAS is running QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, or myQNAPcloud 1.0.x, you need to upgrade to one of the following firmware versions:

  • QTS 5.1.3.2578 build 20231110 and later
  • QTS 4.5.4.2627 build 20231225 and later
  • QuTS hero h5.1.3.2578 build 20231110 and later
  • QuTS hero h4.5.4.2626 build 20231225 and later
  • QuTScloud c5.1.5.2651 and later
  • myQNAPcloud 1.0.52 (2023/11/24) and later

Log into your QNAP device as an administrator and open the Control Panel to perform a firmware update. If you’re working with myQNAPcloud, you need to open the App Center and search for “myQNAPcloud” to install the latest firmware.

Note that you can always visit QNAP’s product support status page to see the latest updates for your NAS device. QNAP recommends regularly updating your system to patch zero-day vulnerabilities and other exploits. This is important even when remote access is disabled on your NAS.


Additional information is available on QNAP’s Alerts page. If you’re using QNAP in an enterprise setting, I suggest that you regularly visit the Alerts page to keep up with new vulnerabilities and install critical updates.

Source: QNAP via Bleeping Computer



Source link

By John P.

Leave a Reply

Your email address will not be published. Required fields are marked *