Critical remote code execution flaw in QNAP QTS and QuTS hero NAS. Patch immediately

Cybersecurity specialists report the detection of a critical vulnerability affecting QNAP QTS and QNAP QuTS hero, two versions of the operating system for network attached storage (NAS) equipment developed by QNAP.

In the report, the flaw was described as a heap-based buffer overflow that exists due to a limit error when Apple File Protocol (AFP) is enabled. Remote threat actors could pass specially crafted data to affected applications to trigger the error and execute remote code on the affected system.

This is a highly severe vulnerability and its successful exploitation would allow the total compromise of the exposed systems. The flaw received a score of 8.5/10 according to the Common Vulnerability Scoring System (CVSS) and does not yet receive CVE identification key.

According to the security alert, the flaws reside in the following versions of the vulnerable products:

  • QNAP QTS: prior to 4.3.3.1799 20211008, 4.3.6.1831 20211019, 4.5.4.1800 20210923 and 5.0.0.1808 20211001
  • QuTS hero: prior to h4.5.4.1813 build 20211006 and h5.0.0.1844 build 20211105

Although the flaw can be exploited by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, users of affected deployments are encouraged to upgrade as soon as possible.  

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.