Top NAS device shaper QNAP has fixed a high-severity vulnerability which allowed threat actors to execute arbitrary commands connected target endpoints.
This zero-day flaw was described arsenic an OS bid injection weakness, plaguing nan company’s disaster betterment and information backup solution called HBS 3 Hybrid Backup Sync. Versions 25.1.x were said to beryllium vulnerable.
The bug is tracked arsenic CVE-2024-50388, and is yet to beryllium fixed a severity score.
"An OS bid injection vulnerability has been reported to impact HBS 3 Hybrid Backup Sync. If exploited, nan vulnerability could let distant attackers to execute arbitrary commands," nan institution said successful a follow-up information advisory.
Pwn2Own
If your statement is utilizing these devices, make judge to upgrade to nan latest type arsenic soon arsenic imaginable - to protect against imaginable compromise, make judge to get your HBS 3 Backup Sync to versions 25.1.1.673, aliases newer.
Updating tin beryllium done done nan NAS device, by logging into QTS aliases QuTS leader arsenic admin, navigating to nan App Center, navigating to “HBS 3 Hybrid Backup Sync”, and looking for nan “Update” button. If it’s not available, that intends nan instrumentality is up to date.
The vulnerability was first discovered during nan Pwn2Own Ireland 2024 hackathon, erstwhile 2 Viettel Cyber Security researchers, Ha The Long, and Ha Anh Hoang, utilized it to execute arbitrary codification and summation admin privileges connected a TS-464 NAS device. The squad ended up winning nan hackathon.
QNAP is 1 of nan world’s astir celebrated manufacturers of NAS devices, and arsenic specified is simply a awesome target for cybercriminals. NAS devices are often utilized to shop delicate individual files which, if stolen, tin beryllium utilized arsenic leverage successful an extortion attempt. QNAP often releases patches to reside different vulnerabilities, and it would beryllium wise to support these instances updated astatine each times.
Via BleepingComputer
More from TechRadar Pro
- QNAP warns its NAS devices are facing a captious information flaw — but a spot is available, truthful update now
- We've tested the best NAS difficult drives around
- These are nan best endpoint protection tools correct now