QNAP has fixed a High severity Command Injection vulnerability CVE-2020-25847 in QTS and QuTS hero.
An attacker could exploit the vulnerability to take control of certain impacted QNAP network-attached storage (NAS) devices.
CVE-2020-25847
QNAP released the security advisory on December 23, 2020. The patch addresses a High severity Command Injection vulnerability CVE-2020-25847 in QTS and QuTS hero NAS products.
“If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application,” QNAP warned in the security advisory qsa-20-20.
Readers can also check out the NIST advisory for CVE-2020-25847, which has a CVSS score of 8.8.
Affected QNAP versions
QNAP has fixed the vulnerability in the following versions:
- QTS 4.5.1.1495 build 20201123 (and later)
- QuTS hero h4.5.1.1491 build 20201119 (and later).
However, the issue does not affect QTS 4.3.x or QTS 4.2.x versions.
Previous QNAP issues
Readers may recall QNAP patched two access control vulnerabilities that affected QTS Helpdesk software back on October, 2020.
In addition, security researchers discovered this past May nearly 450,000 vulnerable unpatched QNAS NAS devices were exposed to the internet.
Last July, cyber criminals also used QSnatch malware to target vulnerable QNAP NAS devices.
Back in May, 2018, a VPNFilter router malware targeted un-patched 500K networking devices worldwide.
These are good examples that highlight the critical need to prioritize the patching of QNAP devices in general, especially if they are exposed to the internet.