Security News

A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage device models. The two main issues contributing to the flaw, tracked as CVE-2024-3273, are a backdoor facilitated through a hardcoded account and a command injection problem via the "System" parameter.

QNAP warns of vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, that could allow attackers to access devices. NAS devices often store large amounts of valuable data for businesses and individuals, including sensitive personal information, intellectual property, and critical business data.

QNAP Systems has patched two unauthenticated OS command injection vulnerabilities in various versions of the operating systems embedded in the firmware of their popular network-attached storage devices. "Prior to the publication of CVE-2023-47565, Unit 42 researchers initially suspected the ATP-observed vulnerability to affect QNAP NAS systems running QTS firmware. However, on November 17, 2023, Unit 42 conducted reverse engineering and additional investigation of QTS firmware images and discovered the vulnerability now known as CVE-2023-50358. The two vulnerabilities are somewhat similar, but affect different software components in different classes of devices."

NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations. "Of the ransomware malware cases reported to the Cybersecurity Center in December, six out of seven involved Akira family malware," they added.

The Finish National Cybersecurity Center is informing of increased Akira ransomware activity in December, targeting companies in the country and wiping backups. Wiping the backups amplifies the damage of the attack and allows the threat actor to put more pressure on the victim as they eliminate the option of restoring the data without paying a ransom.

Zyxel has patched six vulnerabilities affecting its network attached storage devices, including several command injection flaws that can be easily exploited by unauthenticated attackers. One of the six plugged security holes is an improper authentication vulnerability in the devices' authentication module, and may allow unauthenticated attackers to grab system information by sending a specially crafted URL to a vulnerable device.

Zyxel has released patches to address 15 security issues impacting network-attached storage (NAS), firewall, and access point (AP) devices, including three critical flaws that could lead to...

Zyxel has addressed multiple security issues, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage devices. Zyxel NAS systems are used for storing data in a centralized location on the network.

QNAP has released security updates to address two critical security flaws impacting its operating system that could result in arbitrary code execution. Tracked as CVE-2023-23368 (CVSS score: 9.8),...

Zyxel is warning its NAS devices users to update their firmware to fix a critical severity command injection vulnerability. Zyxel has provided no workarounds or mitigations for CVE-2023-27992 in its latest advisory, so users of the impacted NAS devices are recommended to apply the available security updates as soon as possible.