Fixes have been issued by QNAP for a critical SQL injection zero-day flaw impacting its SMB Service, tracked as CVE-2024-50387, which was discovered and exploited by cybersecurity researcher YingMuo at the Pwn2Own Ireland hacking competition last week, according to BleepingComputer.
QNAP's patches for the SQLi issue come just days after it addressed another zero-day impacting its HBS 3 Hybrid Backup Sync disaster recovery and data backup solution, which was discovered and leveraged by the Viettel Cyber Security team to compromise a TS-464 network-attached storage device during the competition. Immediate implementation of the released patches has been urged as QNAP devices remain highly targeted by threat actors, with organizations instructed to apply the fixes by logging in as admin to QuTS hero or QTS and clicking "Update" within "SMB Service." QNAP has previously reported eCh0raix, DeadBolt, Checkmate, and AgeLocker ransomware attacks against its NAS devices over the past four years.