Vulnerability Management, Patch/Configuration Management

Critical QNAP HBS zero-day addressed

Share
binary code and magnifying glass

(Adobe Stock)

Fixes have been issued by QNAP for a critical SQL injection zero-day flaw impacting its SMB Service, tracked as CVE-2024-50387, which was discovered and exploited by cybersecurity researcher YingMuo at the Pwn2Own Ireland hacking competition last week, according to BleepingComputer.

QNAP's patches for the SQLi issue come just days after it addressed another zero-day impacting its HBS 3 Hybrid Backup Sync disaster recovery and data backup solution, which was discovered and leveraged by the Viettel Cyber Security team to compromise a TS-464 network-attached storage device during the competition. Immediate implementation of the released patches has been urged as QNAP devices remain highly targeted by threat actors, with organizations instructed to apply the fixes by logging in as admin to QuTS hero or QTS and clicking "Update" within "SMB Service." QNAP has previously reported eCh0raix, DeadBolt, Checkmate, and AgeLocker ransomware attacks against its NAS devices over the past four years.

Related

Remote takeover likely with mySCADA myPRO flaws

Threat actors could leverage the bugs — which include improper and missing authentication, OS command injection, and path traversal vulnerabilities that have already been addressed by mySCADA after reporting by cybersecurity researcher Michael Heinzl — to execute arbitrary OS commands with escalated privileges and obtain unwarranted system and file access.

Related Events

Related Terms

BugBuffer OverflowDisassembly

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.