QNAP patches worrying NAS security flaw, so update now

There is a way to execute arbitrary commands on a QNAP device, the company confirms

· TechRadar

News By Sead Fadilpašić published 30 October 2024

(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Top NAS device manufacturer QNAP has fixed a high-severity vulnerability which allowed threat actors to execute arbitrary commands on target endpoints.

This zero-day flaw was described as an OS command injection weakness, plaguing the company’s disaster recovery and data backup solution called HBS 3 Hybrid Backup Sync. Versions 25.1.x were said to be vulnerable.

The bug is tracked as CVE-2024-50388, and is yet to be given a severity score.

"An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," the company said in a follow-up security advisory.

Pwn2Own

If your organization is using these devices, make sure to upgrade to the latest version as soon as possible - to protect against potential compromise, make sure to get your HBS 3 Backup Sync to versions 25.1.1.673, or newer.

Updating can be done through the NAS device, by logging into QTS or QuTS hero as admin, navigating to the App Center, navigating to “HBS 3 Hybrid Backup Sync”, and looking for the “Update” button. If it’s not available, that means the tool is up to date.

The vulnerability was first discovered during the Pwn2Own Ireland 2024 hackathon, when two Viettel Cyber Security researchers, Ha The Long, and Ha Anh Hoang, used it to execute arbitrary code and gain admin privileges on a TS-464 NAS device. The team ended up winning the hackathon.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors