Security News > 2024 > May > QNAP QTS zero-day in Share feature gets public RCE exploit
![QNAP QTS zero-day in Share feature gets public RCE exploit](/static/build/img/news/qnap-qts-zero-day-in-share-feature-gets-public-rce-exploit-medium.jpg)
The above bugs impact QTS, the NAS operating system on QNAP devices, QuTScloud, the VM-optimized version of QTS, and QTS hero, a specialized version focused on high performance.
QNAP has addressed CVE-2023-50361 through CVE-2023-50364 in a security update released in April 2024, in versions QTS 5.1.6.2722 build 20240402 and later, and QuTS hero h5.1.6.2734 build 20240414 and later.
To exploit CVE-2024-27130, the attacker needs a valid 'ssid' parameter, which is generated when a NAS user shares a file from their QNAP device.
WatchTowr published an exploit on GitHub, in which they demonstrate how to craft a payload that creates a 'watchtowr' account to a QNAP device and adds them to the sudoers for elevated privileges.
Exploit released for Fortinet RCE bug used in attacks, patch now.
PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers.
News URL
Related news
- PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers (source)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (source)
- Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024 (source)
- Week in review: Google fixes yet another Chrome zero-day exploit, YouTube as a cybercrime channel (source)
- Exploit released for maximum severity Fortinet RCE bug, patch now (source)
- POC exploit code published for 9.8-rated Apache HugeGraph RCE flaw (source)
- TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers (source)
- Zero-Day Exploits Cheat Sheet: Definition, Examples & How It Works (source)