QNAP Patches Zero-Day Flaw CVE-2024-50389 in QuRouter Following Pwn2Own Ireland 2024 Exploits
Taiwanese tech giant QNAP has moved quickly to address a critical zero-day vulnerability in its QuRouter network security appliance, exploited by security researchers during the recent Pwn2Own hacking contest in Ireland.
The vulnerability, tracked as CVE-2024-50389, allowed the Viettel Cyber Security team to compromise a QuRouter device and win a portion of the over $1 million in prize money awarded during the competition.
QNAP wasted no time in releasing a patch for the affected QuRouter 2.4.x versions, urging users to update to version 2.4.5.032 or later immediately. The company acknowledged Viettel Cyber Security for responsibly disclosing the vulnerability.
This incident follows hot on the heels of two other zero-day vulnerabilities patched by QNAP last week, also discovered by Viettel Cyber Security during Pwn2Own:
- CVE-2024-50388: A flaw in the HBS 3 Hybrid Backup Sync solution that allowed attackers to execute arbitrary commands on a TS-464 NAS device.
- CVE-2024-50387: A critical SQL injection vulnerability in QNAP’s SMB Service.
QNAP’s rapid response to these vulnerabilities is commendable, particularly in contrast to the typical 90-day window vendors have before details of Pwn2Own exploits are publicly released.
Updating your QuRouter is crucial to mitigate the risk posed by CVE-2024-50389. QNAP has provided clear instructions for updating to the latest firmware version:
- Log in to your QuRouter.
- Go to Firmware.
- Select Update now.
- Select Latest.
- Click Apply and confirm.
QuRouter will then download and install the necessary updates. Alternatively, users can manually download the latest firmware from the QNAP Download Center and apply it through the QuRouter interface.