Security News > 2021 > April > Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices
An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage devices that run the Surveillance Station video management system.
The bug, specifically a memory corruption issue, was found to impact QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2, and was addressed in February this year.
Tracked as CVE-2020-2501, this security hole is a stack-based buffer overflow that could be abused by remote attackers to execute code on an affected system, without authentication.
In its advisory, QNAP credits an independent researcher for finding and reporting the flaw, but does not provide further details on the issue itself or on its exploitation.
This week, vulnerability hunting and disclosure company SSD Secure Disclosure published additional details on the vulnerability, as well as exploit code to demonstrate how attacks targeting it work.
An attacker could send a specially crafted HTTP request to a vulnerable QNAP NAS device, which would overflow an internal buffer that the Surveillance Station plugin uses, thus achieving arbitrary code execution.
News URL
Related news
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- QNAP adds NAS ransomware protection to latest QTS version (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633) (source)
- APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262) (source)
- Volt Typhoon Hackers Exploit Zero-Day Vulnerability in Versa Director Servers Used by MSPs, ISPs (source)
- Week in review: SonicWall critical firewalls flaw fixed, APT exploits WPS Office for Windows RCE (source)
- Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-02-17 | CVE-2020-2501 | Out-of-bounds Write vulnerability in Qnap Surveillance Station A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. | 7.5 |