QNAP Systems Fixes Bugs in QuRouter and Notes Station 3

Exploits Could Allow Remote Command Execution and Access Prajeet Nair (@prajeetspeaks) • November 26, 2024

Taiwanese network-attached storage manufacturer QNAP Systems patched multiple flaws in its operating system and applications that could allow attackers to compromise devices.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

QNAP disclosed on Saturday multiple vulnerabilities in several network-attached storage, NAS, models, including three critical flaws with CVSS scores above 9.0. The disclosure included multiple flaws in QNAP's router operating system QuRouter OS.

Other QNAP products impacted by the vulnerabilities include Photo Station, AI Core, QuLog Center, Media Streaming Add-on, QTS and QuTS hero.

The two critical command injection vulnerabilities in QuRouter 2.4.x, tracked as CVE-2024-48860 and CVE-2024-48861, could allow remote attackers to execute arbitrary commands. CVE-2024-48860 is an OS command injection flaw and rated a critical 9.5 on the CVSS scale.

These devices are ...