QNAP has patched two critical command injection vulnerabilities

Taiwan’s QNAP Systems has patched two critical vulnerabilities in the QTS operating system and applications on NAS devices. The vulnerabilities allowed an attacker to send unauthorized commands to the applications.

The command injection vulnerabilities are tracked under CVE-2023-23368 and CVE-2023-233669. QNAP has now closed the vulnerabilities through a firmware update. The severity of the first vulnerability was rated with a CVSS of 9.8 out of 10. The affected QTS versions were QTS 5.0.x, QTS 4.5.x, QuTS hero h5.0.x, QuTS hero h4.5.x and QuTScloud c5.0.1.

The second vulnerability had a CVSS of 9 out of 10, affecting the following versions: 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x. This also concerned Multimedia Console 2.1.x and 1.4.x, as well as Media Streaming add-on 500.1.x and 500.0.x.