Security News > 2021 > September > QNAP fixes bug that let attackers run malicious commands remotely
Taiwan-based network-attached storage maker QNAP has released security patches for multiple vulnerabilities that could allow attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.
Three of the security flaws fixed today by QNAP are high severity stored cross-site scripting vulnerabilities affect devices running unpatched Photo Station software.
QNAP also patched a stored XSS Image2PDF flaw impacting devices running software versions released before Image2PDF 2.1.5.
The company also addressed a command injection bug affecting some QNAP end-of-life devices running the QVR IP video surveillance software that helps attackers run arbitrary commands.
QNAP warned in September 2020 of a surge in ransomware attacks encrypting files on publicly exposed NAS storage devices.
As BleepingComputer reported at the time, QNAP customers' devices were being hit by AgeLocker ransomware which was targeting older unpatched versions of Photo Station, an app used to upload photos, create albums, and view them remotely.