Critical QNAP NAS Vulnerabilities Allow Remote Code Execution

QNAP NAS devices are popular among businesses and consumers alike for their ease of use and reliability. The company released security updates to address two critical vulnerabilities in its network-attached storage (NAS) devices that could allow remote attackers to execute code. The vulnerabilities tracked as CVE-2023-23368 and CVE-2023-23369, affect QTS, QuTS hero, QuTScloud, Multimedia Console, and Media Streaming add-on firmware versions.

CVE-2023-23368 (rated by the company as ‘Critical’ (CVSS v3 score: 9.8))

This vulnerability is an OS command injection vulnerability that affects QTS 5.0.x, and 4.5.x; QuTS hero h5.0.x, h4.5.x; and QuTScloud c5.0.1 versions of the operating system. If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the affected device.

CVE-2023-23369 rated by the company as ‘Critical’ (CVSS v3 score: 9.0)

This vulnerability is also an OS command injection vulnerability, but it affects QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x versions of the operating system, as well as Multimedia Console 2.1.x, 1.4.x; and Media Streaming add-on 500.1.x, 500.0.x. If exploited, this vulnerability could also allow an attacker to execute arbitrary commands on the affected device.

“An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute commands via a network,” QNAP warned.

QNAP recommends that users upgrade to the following versions to remain safe:

  • CVE-2023-23368:
    • QTS 5.0.1.2376 build 20230421 and later
    • QTS 4.5.4.2374 build 20230416 and later
    • QuTS hero h5.0.1.2376 build 20230421 and later
    • QuTS hero h4.5.4.2374 build 20230417 and later
    • QuTScloud c5.0.1.2374 and later
  • CVE-2023-23369:
    • QTS 5.1.0.2399 build 20230515 and later
    • QTS 4.3.6.2441 build 20230621 and later
    • QTS 4.3.4.2451 build 20230621 and later
    • QTS 4.3.3.2420 build 20230621 and later
    • QTS 4.2.6 build 20230621 and later
    • Multimedia Console 2.1.2 (2023/05/04) and later
    • Multimedia Console 1.4.8 (2023/05/05) and later
    • Media Streaming add-on 500.1.1.2 (2023/06/12) and later
    • Media Streaming add-on 500.0.0.11 (2023/06/16) and later

QNAP’s advisory clearly states that there’s no evidence yet of these vulnerabilities being exploited in the wild. It is important to update your QNAP NAS firmware to the latest version as soon as possible to protect yourself from these vulnerabilities.

How to upgrade your QNAP NAS device

Updating QTS, QuTS hero, or QuTScloud

  1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating Multimedia Console

  1. Log on to QTS as an administrator.
  2. Open the App Center and then click 
  3. Type “Multimedia Console” and then press ENTER.
    Multimedia Console appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your version is already up to date.
  5. Click OK.
    The application is updated.

Updating Media Streaming add-on

  1. Log on to QTS as an administrator.
  2. Open the App Center and then click 
  3. Type “Media Streaming add-on” and then press ENTER.
    Media Streaming add-on appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your version is already up to date.
  5. Click OK.
    The application is updated.