Thursday, January 23, 2025
HomeCVE/vulnerabilityQNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

Published on

SIEM as a Service

Follow Us on Google News

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers to compromise systems and execute malicious activities.

These issues affect several versions of QNAP’s QTS and QuTS hero operating systems. Users are urged to update their devices immediately to mitigate security risks. Below is an overview of the identified vulnerabilities:

Critical Vulnerabilities Reported

  1. CVE-2024-48859: Exploited via improper authentication, this vulnerability could allow remote attackers to compromise the system’s security.
  2. CVE-2024-48865: Improper certificate validation could enable attackers with local network access to breach the system’s security.
  3. CVE-2024-48866: Improper handling of URL encoding (hex encoding) could allow remote attackers to put the system in an unexpected state.
  4. CVE-2024-48867 and CVE-2024-48868: CRLF injection vulnerabilities in the system might enable remote attackers to alter application data.
  5. CVE-2024-50393: A command injection vulnerability could allow remote attackers to execute arbitrary commands on the system.
  6. CVE-2024-50402 and CVE-2024-50403: Exploitation of externally controlled format string vulnerabilities might allow attackers with administrator access to obtain sensitive data or modify memory.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Affected Products and Fixed Versions

QNAP has released patches for the affected versions to resolve these vulnerabilities. Ensure your system runs one of the fixed versions listed below:

Affected ProductFixed Version
QTS 5.1.xQTS 5.1.9.2954 build 20241120 and later
QTS 5.2.xQTS 5.2.2.2950 build 20241114 and later
QuTS hero h5.1.xQuTS hero h5.1.9.2954 build 20241120 and later
QuTS hero h5.2.xQuTS hero h5.2.2.2952 build 20241116 and later

Recommendation for Mitigation

To safeguard your device, promptly update your operating system to the latest version. Follow these steps:

  1. Log in to QTS or QuTS hero as an administrator.
  2. Navigate to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update to download and install the latest firmware.
  4. Alternatively, visit the QNAP Support > Download Center to perform a manual update.

Proactively updating your system ensures protection against these high-severity threats. Regular firmware updates are essential for maintaining system security and stability.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...