QNAP has released security updates to address a critical vulnerability (CVE-2024-21899) affecting their QTS, QuTS hero, QuTScloud, and myQNAPcloud products. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.
Successful exploitation of the authentication bypass vulnerability could allow a remote attacker to gain unauthorised access to the Network Attached Storage (NAS) device, resulting in high impact to confidentiality, integrity, and availability of the system.
The vulnerability affects the following products:
QTS 5.1.xQTS 4.5.xQuTS hero h5.1.xQuTS hero h4.5.xQuTScloud c5.xmyQNAPcloud 1.0.x serviceUsers and administrators of affected products are advised to update to the latest versions immediately.
More information is available here:
https://www.qnap.com/en/security-advisory/qsa-24-09https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-auth-bypass-flaw-in-its-nas-devices/