QNAP fixes many security updates after major issues
- QNAP addresses 17 vulnerabilities with a variety of patches
- Affected products include Notes Station 3, QuRouter, and others
- Some bugs are considered critical and very dangerous
QNAP has released fixes for a number of security issues, including several flaws that are considered “critical.”
In total, QNAP has addressed 17 different vulnerabilities, and the full detailed list can be found at this link. Because many of the flaws are critical and can be used to take over endpoints, steal sensitive data, and deploy malware, users are advised to apply the patches as soon as possible.
In its security advisory, QNAP says the vulnerabilities affect Notes Station 3, QuRouter, AI Core, QuLog Center, QTS and QuTS Hero.
Patches and fixes
The most serious bug is an operating system command injection flaw, which allows threat actors to execute arbitrary commands on the target system. It affects QNAP’s fast, secure routers QuRouter 2.4.x. It is tracked as CVE-2024-48860 and has a severity score of 9.5 (critical).
The second highest critical vulnerability is tracked as CVE-2024-38645 and has a score of 9.4. It was found in Notes Station 3, QNAP’s note-taking and collaboration application, and is tracked as CVE-2024-38645. This is described as a server-side request forgery (SSRF) bug that allows threat actors with authentication credentials to send tailored requests and ultimately expose sensitive app data.
Another flaw in Notes Station 3 made the top three, CVE-2024-38643, with a severity score of 9.3. This missing authentication for critical functions bug allows criminals to gain unauthorized access and perform various system functions, which can lead to credentials theft and system compromise.
QNAP devices are extremely popular targets for cybercriminals and should therefore be handled with care. Security experts recommend this advice to never be directly connected to the internet, but to be protected behind a VPN.
Via BleepingComputer