Fixes have been issued by QNAP for two critical command injection vulnerabilities affecting its network-attached storage devices, which could be leveraged to facilitate arbitrary code execution, reports The Hacker News.
QNAP QTS 4.5.x and 5.0.x, QuTS hero h4.5x and h5.0x, and QuTScloud c5.0x have been impacted by the first flaw, tracked as CVE-2023-23368, while the second bug, tracked as CVE-2023-23369, has affected QTS 4.2.x, 4.3.3, 4.3.4, 4.3.6, and 5.1.x, as well as Multimedia Console 1.4.x and 2.1.x, and Media Streaming add-on 500.0.x and 500.1.x, according to QNAP.
"If exploited, the vulnerability could allow remote attackers to execute commands via a network," said QNAP, which called on organizations using the vulnerable software versions to immediately apply the updates.
Such security updates have been released weeks after QNAP reported that it was able to disrupt a command-and-control server leveraged in brute-force attacks aimed at internet-facing NAS devices with poor password security measures.