Critical OS Command Injection Vulnerability Patched in QNAP NAS Devices

CVECVE-2023-23369
CVSScvssV3_1: 9
SourceCVE-2023-23369

QNAP NAS devices were found to have a serious OS command injection vulnerability that could allow remote attackers to execute arbitrary commands on affected devices. OS command injection occurs when unvalidated user input is passed to the OS shell, enabling attackers to inject and execute malicious commands.

In this case, several versions of QNAP operating systems like QTS and Multimedia Console were vulnerable. An attacker on the local network could potentially craft and send malicious requests containing OS commands to exploit this vulnerability. If successful, it would allow the attacker to completely take over the device and access or modify files and settings.

QNAP has now released security updates patching the vulnerability in multiple QTS and Multimedia Console versions. Users are highly recommended to update their QNAP NAS devices to the latest firmware version available. It is also a good idea to change default credentials, enable firewall, and restrict access to only trusted IP addresses to reduce attack surfaces. Regular security updates help keep devices protected from newly discovered vulnerabilities.

References