QNAP Systems has patched two access control vulnerabilities that affect QTS Helpdesk software.
An attacker could exploit each of these vulnerabilities to take control of an impacted QNAP network-attached storage (NAS) device.
The two improper access control vulnerabilities (CVE-2020-2506 and CVE-2020-2507) affect earlier versions of QTS.
QNAP has fixed these issues in Helpdesk 3.0.3 and later versions.
Readers may remember just this past May when security researchers discovered nearly 450,000 vulnerable unpatched QNAS NAS devices were exposed to the internet.
In July, cyber criminals also used QSnatch malware to target vulnerable QNAP Network Attached Storage (NAS) devices.
Back in May, 2018, a VPNFilter router malware targeted un-patched 500K networking devices worldwide.
At that time, Talos said that impacted devices included QNAP network-attached storage (NAS) devices, as well as a host of other networking equipment makers to include Linksys, MikroTik, NETGEAR and TP-Link.
These are good examples that highlight the critical need to prioritize the patching of QNAP devices in general, especially if they are exposed to the internet.