QNAP has released a new security advisory warning users of two vulnerabilities that affect its QTS operating system which powers many of the NAS devices used by businesses and consumers to backup their data locally.
The vulnerabilities, tracked as CVE-2020-2490 and CVE-2020-2492, can be exploited to allow a remote attacker to execute arbitrary commands on NAS devices running versions of QTS released before September 8 of this year.
In its security advisory, QNAP doesn’t provide that many details on how exactly these vulnerabilities can be exploited though they are both classified as command injection vulnerabilities. These types of vulnerabilities are particularly dangerous as they could allow for full take over of an affected device.
Thankfully though, QNAP has issued patches to address both vulnerabilities in QTS 22.214.171.1241 build 20200907 and later versions.
In order to secure your NAS devices from any potential attacks leveraging these vulnerabilities, QNAP recommends that users update QTS to the latest version.
To do so, you’ll first need to log on to QTS as an administrator and then navigate to Control Panel > System > Firmware Update. Under the Live Update section, click on Check for Update and then QTS will download and install the latest update available.
Alternatively, you can also go to QNAP’s website and under Support, you can perform a manual update for your devices by heading to the download center.
NAS devices are increasingly being targeted by cybercriminals and just last week, QNAP warned that Zerologon now affects NAS devices and a month ago, the company urged users to update their devices to avoid being infected with the AgeLocker ransomware.