QNAP has addressed several critical security vulnerabilities in its Network Attached Storage (NAS) and QuRouter services that could allow attackers to execute arbitrary commands remotely on compromised devices. These flaws primarily affect QNAP’s NAS solutions, which are used by trusted IT service providers, including Accenture and Infosys, as well as various organizations across media, healthcare, and education sectors.
The vulnerabilities were disclosed in separate advisories by QNAP. The first involves Notes Station 3, a collaboration application for NAS devices, which has a critical flaw tracked as CVE-2024-38643. This missing authentication issue could grant unauthorized access to remote attackers, carrying a CVSS severity score of 9.8. The issue affects Notes Station 3 versions 3.9.x and has been resolved in subsequent updates. Additionally, a server-side request forgery flaw (CVE-2024-38645) allows attackers, who gain access through the previous vulnerability, to obtain full application data, rated at 9.4. Another significant vulnerability, CVE-2024-38644, permits remote command execution on affected systems; it holds a high severity rating of 8.8.
In tandem, another advisory addressed vulnerabilities in QNAP’s QuRouter network devices. One such flaw, tracked as CVE-2024-48860, enables command injection vulnerabilities in QuRouterOS, rated critically at 9.8. This issue impacts QuRouter versions 2.4.x, and a fix is available in version 2.4.3.106 and beyond. Additionally, another related vulnerability, CVE-2024-48861, allows local command execution on the same versions, rated at 7.8.
QNAP advises all users to update to the latest software versions to mitigate these security risks. For further details, you can refer to the advisory on QNAP’s website and the additional advisory for the QuRouter system here.