GovCERT.HK - Security Alert (A25-03-08): Multiple Vulnerabilities in QNAP Products

Description:

QNAP has published security advisories to address multiple vulnerabilities in QNAP products. The list of patches can be found at:
https://www.qnap.com/en/security-advisory/qsa-24-51
https://www.qnap.com/en/security-advisory/qsa-24-52
https://www.qnap.com/en/security-advisory/qsa-24-53
https://www.qnap.com/en/security-advisory/qsa-24-54
https://www.qnap.com/en/security-advisory/qsa-24-55
https://www.qnap.com/en/security-advisory/qsa-25-01
https://www.qnap.com/en/security-advisory/qsa-25-03
https://www.qnap.com/en/security-advisory/qsa-25-05
https://www.qnap.com/en/security-advisory/qsa-25-06
https://www.qnap.com/en/security-advisory/qsa-25-07

Affected Systems:

QNAP NAS devices running File Station 5 versions prior to 5.5.6.4741
QNAP NAS devices running Helpdesk versions prior to 3.3.3
QNAP NAS devices running HBS 3 Hybrid Backup Sync versions prior to 25.1.4.952
QNAP NAS devices running Qfinder Pro versions prior to Mac 7.11.1
QNAP NAS devices running QVPN Device Client versions prior to Mac 2.2.5
QNAP NAS devices running QuLog Center versions prior to 1.7.0.829 (2024/10/01), 1.8.0.888 (2024/10/15)
QNAP NAS devices running QuRouter versions prior to 2.4.5.032, 2.4.6.028
QNAP NAS devices running Qsync Client versions prior to Mac 5.1.3
QNAP NAS devices running QTS operating system versions prior to 4.5.4.2957 build 20241119, 5.1.9.2954 build 20241120, 5.2.0.2851 build 20240808, 5.2.3.3006 build 20250108
QNAP NAS devices running QuTS hero operating system versions prior to h4.5.4.2956, h5.1.9.2954 build 20241120, h5.2.0.2851 build 20240808, h5.2.3.3006 build 20250108

For detailed information of the affected systems, please refer to the corresponding security advisory at vendor's website.

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, information disclosure, security restriction bypass, spoofing or tampering on an affected system.

Recommendation:

Patches for affected systems are available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

More Information:

https://www.qnap.com/en/security-advisory/qsa-24-51
https://www.qnap.com/en/security-advisory/qsa-24-52
https://www.qnap.com/en/security-advisory/qsa-24-53
https://www.qnap.com/en/security-advisory/qsa-24-54
https://www.qnap.com/en/security-advisory/qsa-24-55
https://www.qnap.com/en/security-advisory/qsa-25-01
https://www.qnap.com/en/security-advisory/qsa-25-03
https://www.qnap.com/en/security-advisory/qsa-25-05
https://www.qnap.com/en/security-advisory/qsa-25-06
https://www.qnap.com/en/security-advisory/qsa-25-07
https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20250310
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50390
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53692 (to CVE-2024-53700)

Tag: NAS , QNAP File Station , QNAP Helpdesk , HBS , Qfinder , QVPN , QuLog , QuRouter , Qsync , QTS , QuTS hero