Security News > 2022 > May > QNAP fixes critical QVR remote command execution vulnerability
QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company's video surveillance solution hosted on a NAS device.
QNAP's advisory explains that the "Vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands."
As we have seen in the past, critical vulnerabilities in QNAP systems are leveraged almost immediately in cyberattacks when an exploit becomes publicly available.
Apart from the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings between medium and high.
CVE-2022-27588: Critical-severity RCE in QNAP QVR. CVE-2021-38693: Medium-severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
CVE-2021-44051: High-severity command injection flaw that allows arbitrary remote command execution in QTS, QuTS hero, and QuTScloud.
News URL
Related news
- New PHP Vulnerability Exposes Windows Servers to Remote Code Execution (source)
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability (source)
- ASUS warns of critical remote authentication bypass on 7 routers (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (source)
- Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application (source)
- GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others (source)
- Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack (source)
- New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk (source)
- Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-05 | CVE-2022-27588 | Command Injection vulnerability in Qnap QVR We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later | 7.5 |
2022-05-05 | CVE-2021-44051 | Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. | 8.8 |
2022-05-05 | CVE-2021-38693 | Path Traversal vulnerability in Qnap QTS and Qutscloud A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. | 5.0 |