Critical Vulnerabilities in QNAP QTS Operating System and Applications

Published on 07 Nov 2023

QNAP has released security updates to address two critical vulnerabilities (CVE-2023-23368 and CVE-2023-23369) that impact multiple versions of the QTS Operating System (OS) and applications on its network-attached storage (NAS) devices. CVE-2023-23368 has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the OS command injection vulnerabilities could allow attackers to execute commands via a network remotely.

 The vulnerabilities affect the following product versions:

  • CVE-2023-23368: QTS 5.0.x, 4.5.x; QuTS hero h5.0.x, h4.5.x; QuTScloud c5.0.x
  • CVE-2023-23369: QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, 4.2.x; Multimedia Console 2.1.x, 1.4.x; Media Streaming add-on 500.1.x, 500.0.x

Users and administrators of affected product versions are advised to update to the latest versions immediately. 

Administrators can log in and navigate to Control Panel > System > Firmware Update, and click on "Check for Update" under Live Update to download and install the latest version for QTS, QuTS hero, or QuTScloud. Updates are also available as manual downloads from QNAP's website here:

 To update the Multimedia Console and Media Streaming add-on, administrators can search for the installation in the App Center and click on the "Update" button (available only if a newer version exists).

 More information is available here: