CVE-2023-47565 Flaw in QNAP NVR Devices Exploited in the Wild

In a digital landscape increasingly dotted with sophisticated surveillance solutions, the discovery of a critical vulnerability in QNAP’s VioStor Network Video Recorder (NVR) devices serves as a stark reminder of the ever-present cybersecurity risks. Recently, the Akamai Security Intelligence Response Team (SIRT) uncovered an actively exploited vulnerability in QNAP NVR devices.

This vulnerability, identified as CVE-2023-47565 and rated with a concerning CVSS v3 score of 8.0, reveals a significant gap in network security. The QNAP VioStor NVR, renowned for its high-performance network surveillance, monitoring of IP cameras, video recording, playback, and remote data access, now faces a formidable challenge.

CVE-2023-47565

The crux of CVE-2023-47565 lies in its ability to allow an authenticated attacker to perform OS command injection. This is achieved through a payload delivered via a POST request to the management interface, exploiting the device’s default credentials, a vulnerability that was previously unknown and unreported.

Initially, SIRT’s investigation into the InfectedSlurs campaign only reported two zero-day vulnerabilities, as the exploit’s link to a specific device or manufacturer remained elusive. However, further analysis revealed that the QNAP VioStor NVR devices were indeed the targets. These devices, often shipped with weak default credentials as found in their manuals, fit the campaign’s profile and were susceptible to OS command injection vulnerabilities, particularly in their NTP settings.

Despite QNAP considering these NVR devices discontinued in terms of support, the recent discovery has prompted an urgent recommendation from the vendor to upgrade the firmware to the latest available version. This issue had been patched previously but never publicly disclosed. Additionally, QNAP advises users to change the default passwords on their devices to bolster security.

Recognizing the severity of this vulnerability, the United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-47565 to its ‘Known Exploited Vulnerabilities (KEV) Catalog’ on December 21. This inclusion serves as both a cautionary tale and a call to action for administrative agencies to take the necessary steps to mitigate the risk.