Vulnerability Management, Patch/Configuration Management

Critical QNAP HBS zero-day addressed

Share
binary code and magnifying glass

Fixes have been issued by QNAP for a critical SQL injection zero-day flaw impacting its SMB Service, tracked as CVE-2024-50387, which was discovered and exploited by cybersecurity researcher YingMuo at the Pwn2Own Ireland hacking competition last week, according to BleepingComputer.

QNAP's patches for the SQLi issue come just days after it addressed another zero-day impacting its HBS 3 Hybrid Backup Sync disaster recovery and data backup solution, which was discovered and leveraged by the Viettel Cyber Security team to compromise a TS-464 network-attached storage device during the competition. Immediate implementation of the released patches has been urged as QNAP devices remain highly targeted by threat actors, with organizations instructed to apply the fixes by logging in as admin to QuTS hero or QTS and clicking "Update" within "SMB Service." QNAP has previously reported eCh0raix, DeadBolt, Checkmate, and AgeLocker ransomware attacks against its NAS devices over the past four years.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.