Multiple QNAP Vulnerabilities Let Attackers Inject Malicious Codes

QNAP has disclosed a series of vulnerabilities within its operating systems and applications that could potentially allow attackers to compromise system security and execute malicious commands.

These vulnerabilities, identified as CVE-2024-21899, CVE-2024-21900, and CVE-2024-21901, pose significant risks to users of affected QNAP devices.

The company has promptly responded by releasing updates to mitigate these vulnerabilities.

- Advertisement -

Understanding the Vulnerabilities

CVE-2024-21899: Compromising System Security Through Improper Authentication

This vulnerability could allow unauthorized users to bypass authentication mechanisms, allowing them to compromise the system’s security via a network.

The improper authentication flaw poses a critical risk, as it could enable attackers to gain unauthorized access to sensitive information or disrupt system operations.

CVE-2024-21900: Command Execution Through Injection Vulnerability

CVE-2024-21900 is an injection vulnerability that could allow authenticated users to execute arbitrary commands via a network.

This vulnerability could enable attackers to manipulate the system to their advantage, potentially leading to data theft, system damage, or further unauthorized access.

CVE-2024-21901: SQL Injection Vulnerability

The SQL injection vulnerability, identified as CVE-2024-21901, could allow authenticated administrators to inject malicious code via a network.

This vulnerability is particularly concerning as it could enable attackers to manipulate or corrupt database contents, leading to data loss or unauthorized access.

Hunter recently tweeted about a severe issue related to QNAP operating systems. The tweet warns users to be cautious and take necessary measures to avoid exploitation.

A critical vulnerability (CVE-2024-21899, CVSS 9.8) has been found in multiple versions of QNAP operating systems.

Affected and Fixed Versions

QNAP has taken swift action to address these vulnerabilities by releasing updates for the affected products.

Discovering these vulnerabilities in QNAP’s systems is a crucial reminder to maintain up-to-date security measures. 

The following table outlines the affected products and their corresponding fixed versions:

Users of the affected versions are urged to update their systems and applications to the latest versions to protect against these vulnerabilities.

To safeguard against these vulnerabilities, QNAP strongly recommends that users regularly update their systems and applications to the latest versions.

These updates include critical fixes that can protect devices from potential attacks.

Users can update their QTS, QuTS hero, or QuTScloud systems via the Control Panel’s Firmware Update section or download the updates directly from the QNAP website.

For myQNAPcloud, updates can be performed through the App Center.

The discovery of these vulnerabilities was credited to DEVCORE, under the identifiers ZDI-CAN-22493/22494.

QNAP’s swift response underscores the importance of proactive security measures and the company’s commitment to protecting its users. 

Users of QNAP devices are urged to update their systems immediately to protect against potential threats.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.