QNAP’s Security Team Caught Napping

Source: Bleeping Computer QNAP’s Security Team Caught Napping

4 Out Of 15 Is A Nasty Number Of Fixes

The QNAP QTS OS for their NAS devices is in the news, and not in a good way.  Security researchers discovered 15 flaws between December 12, 2023, and January 23, 2024 and as of today they have only addressed four of them.  This delay has led to the vulnerabilities being publicly disclosed so that owners of QNAP devices are aware of the vulnerabilities their devices have.  On the plus side the disclosure has led to five more patches being released today, including one for the zero day remote code execution vulnerability.

Many of the flaws are do to improper usage of the strcpy command, which can be leveraged to cause a buffer overflow and lead to code execution.  There are also ones that allow an attacker to defeat MFA and a handful of other attack vectors.  QNAP have overcome what they are calling coordination issues to release patches and you should definitely grab them from the link at Bleeping Computer.  It might be worth checking back to see if there are updates addressing the remaining six flaws.


The flaws uncovered by WatchTowr analysts are primarily related to code execution, buffer overflows, memory corruption, authentication bypass, and XSS issues, impacting the security of Network Attached Storage (NAS) devices across different deployment environments.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!