Security News > 2022 > May > QNAP fixes critical QVR remote command execution vulnerability
QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company's video surveillance solution hosted on a NAS device.
QNAP's advisory explains that the "Vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands."
As we have seen in the past, critical vulnerabilities in QNAP systems are leveraged almost immediately in cyberattacks when an exploit becomes publicly available.
Apart from the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings between medium and high.
CVE-2022-27588: Critical-severity RCE in QNAP QVR. CVE-2021-38693: Medium-severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
CVE-2021-44051: High-severity command injection flaw that allows arbitrary remote command execution in QTS, QuTS hero, and QuTScloud.
News URL
Related news
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Sophos Firewall vulnerable to critical remote code execution flaw (source)
- Sophos discloses critical Firewall remote code execution flaw (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-27588 | Command Injection vulnerability in Qnap QVR 5.1.5 We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later | 9.8 |
| 2022-05-05 | CVE-2021-44051 | Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. | 8.8 |
| 2022-05-05 | CVE-2021-38693 | Path Traversal vulnerability in Qnap QTS and Qutscloud A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. | 5.3 |