Taiwan-based QNAP Systems has promptly addressed a myriad of vulnerabilities across its product lineup, releasing patches for two dozen flaws, among which are two high-severity vulnerabilities capable of command execution. These vulnerabilities, tracked as CVE-2023-45025 and CVE-2023-39297, pertain to OS command injection and affect several versions of QNAP’s software including QTS and QuTS hero. While the first flaw permits command execution over the network under specific configurations, the second flaw necessitates authentication for successful exploitation.
Moreover, QNAP has also tackled CVE-2023-47567 and CVE-2023-47568, two remotely exploitable vulnerabilities requiring administrator authentication for successful exploitation. The former is an OS command injection flaw, while the latter is an SQL injection vulnerability, both posing considerable security risks to QTS, QuTS hero, and QuTScloud users. These vulnerabilities have been addressed in the latest versions of the respective software releases.
Additionally, QNAP has resolved another high-severity vulnerability affecting Qsync Central versions 4.4.x and 4.3.x. Tracked as CVE-2023-47564, this flaw involves incorrect permission assignment for critical resources, potentially allowing authenticated users to read or modify sensitive data over the network. QNAP promptly released patches for this vulnerability with the latest Qsync Central versions.