U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

QNAP fixed two critical vulnerabilities in QTS OS and apps

Taiwanese vendor QNAP warns of two critical command injection flaws in the QTS operating system and applications on its NAS devices. Taiwanese vendor QNAP Systems addressed two critical command injection vulnerabilities, tracked as CVE-2023-23368 and CVE-2023-23369, that impact the QTS operating system and applications on its network-attached storage (NAS) devices. The vulnerability CVE-2023-23368 (CVSS score […]

QNAP TS-464 NAS

Taiwanese vendor QNAP warns of two critical command injection flaws in the QTS operating system and applications on its NAS devices.

Taiwanese vendor QNAP Systems addressed two critical command injection vulnerabilities, tracked as CVE-2023-23368 and CVE-2023-23369, that impact the QTS operating system and applications on its network-attached storage (NAS) devices.

The vulnerability CVE-2023-23368 (CVSS score 9.8) is an OS command injection issue that could be exploited by a remote attacker to execute commands via a network. The vulnerability was reported by CataLpa of Hatlab, Dbappsecurity Co. Ltd.

“An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute commands via a network.” reads the advisory.

Below are the impacted product versions and the available fixed versions:

Affected ProductFixed Version
QTS 5.0.xQTS 5.0.1.2376 build 20230421 and later
QTS 4.5.xQTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.xQuTS hero h5.0.1.2376 build 20230421 and later
QuTS hero h4.5.xQuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.xQuTScloud c5.0.1.2374 and later

The vulnerability CVE-2023-23369 (CVSS score 9.0) could be exploited by a remote attacker to execute commands via a network.

“An OS command injection vulnerability has been reported to affect several QNAP operating system and application versions. If exploited, the vulnerability could allow remote attackers to execute commands via a network.” reads the advisory.

The flaw was reported by Eqqie, below are the impacted product versions and the available fixed versions:

Affected ProductFixed Version
QTS 5.1.xQTS 5.1.0.2399 build 20230515 and later
QTS 4.3.6QTS 4.3.6.2441 build 20230621 and later
QTS 4.3.4QTS 4.3.4.2451 build 20230621 and later
QTS 4.3.3QTS 4.3.3.2420 build 20230621 and later
QTS 4.2.xQTS 4.2.6 build 20230621 and later
Multimedia Console 2.1.xMultimedia Console 2.1.2 (2023/05/04) and later
Multimedia Console 1.4.xMultimedia Console 1.4.8 (2023/05/05) and later
Media Streaming add-on 500.1.xMedia Streaming add-on 500.1.1.2 (2023/06/12) and later
Media Streaming add-on 500.0.xMedia Streaming add-on 500.0.0.11 (2023/06/16) and later

Network administrators are urged to address both vulnerabilities to prevent threat actors from exploiting them to take over devices running the vulnerable software.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NAS)