Article Details

QNAP addresses critical flaws across NAS, router software. QNAP has released security bulletins over the weekend, which address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible. Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it: QNAP has resolved these issues in Notes Station 3 version 3.9.7 and recommends users update to this version or later to mitigate the risk. Instructions on updating are available in this bulletin. The other two issues listed in the same bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 score: 8.7, 8.4) command injection and unauthorized data access problems that require user-level access to exploit. QuRouter flaws The third critical flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x products, QNAP's line of high-speed, secure routers. The flaw, rated 9.5 "critical" according to CVSS v4, is an OS command injection flaw that could allow remote attackers to execute commands on the host system. QNAP also fixed a second, less severe command injection problem tracked as CVE-2024-48861, with both issues addressed in QuRouter version 2.4.3.106. Other QNAP fixes Other products that received important fixes this weekend are QNAP AI Core (AI engine), QuLog Center (log management tool), QTS (standard OS for NAS devices), and QuTS Hero (advanced version of QTS). Here's a summary of the most important flaws that were fixed in those products, with a CVSS v4 rating between 7.7 and 8.7 (high). QNAP customers are strongly advised to install the updates as soon as possible to remain protected against potential attacks. As always, QNAP devices should never be connected directly to the Internet and should instead be deployed behind a VPN to prevent remote exploitation of flaws.