Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

QNAP patches worrying NAS security flaw, so update now

An abstract image of a lock against a digital background, denoting cybersecurity.

Top NAS device manufacturer QNAP has fixed a high-severity vulnerability which allowed threat actors to execute arbitrary commands on target endpoints.

This zero-day flaw was described as an OS command injection weakness, plaguing the company’s disaster recovery and data backup solution called HBS 3 Hybrid Backup Sync. Versions 25.1.x were said to be vulnerable.

The bug is tracked as CVE-2024-50388, and is yet to be given a severity score.

"An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," the company said in a follow-up security advisory.

Pwn2Own

If your organization is using these devices, make sure to upgrade to the latest version as soon as possible - to protect against potential compromise, make sure to get your HBS 3 Backup Sync to versions 25.1.1.673, or newer.

Updating can be done through the NAS device, by logging into QTS or QuTS hero as admin, navigating to the App Center, navigating to “HBS 3 Hybrid Backup Sync”, and looking for the “Update” button. If it’s not available, that means the tool is up to date.

The vulnerability was first discovered during the Pwn2Own Ireland 2024 hackathon, when two Viettel Cyber Security researchers, Ha The Long, and Ha Anh Hoang, used it to execute arbitrary code and gain admin privileges on a TS-464 NAS device. The team ended up winning the hackathon.

QNAP is one of the world’s most popular manufacturers of NAS devices, and as such is a major target for cybercriminals. NAS devices are often used to store sensitive personal files which, if stolen, can be used as leverage in an extortion attempt. QNAP often releases patches to address different vulnerabilities, and it would be wise to keep these instances updated at all times.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.