Skip to the content.

DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero

Our reference DIVD-2023-00006
Case lead Stan Plasmeijer
Researcher(s)
CVE(s)
Product QNAP QTS and QNAP QuTS hero
Versions
  • QTS 5.0.1.2234 build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later
Recommendation If you have a vulnerable QTS or QuTS hero, update to the latest version.
Status Open
Last modified 07 Feb 2023 11:20

Summary

A vulnerability has been found in QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. When exploited, it is possible for attackers to inject malicious code. QNAP has linked CWE-89 to this CVE. The CWE is related to ‘Improper Neutralization of Special Elements used in an SQL Command (or SQL injection)’. QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.

What you can do

Update your QTS or QuTS hero. This can be done by navigating to Control Panel > System > Firmware Update. Under Live Update, click Check for Update.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding QNAP QTS and QNAP QuTS Hero instances and verifying their version and build number. The notificaiton will be sent to the party responsible for the ip address accoording to the whois database.

Timeline

Date Description
02 Feb 2023 DIVD starts researching fingerprint.
gantt title DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00006 - Unauthenticated code injection in QNAP QTS and QuTS hero (still open) :2023-02-02, 2023-04-03 section Events DIVD starts researching fingerprint. : milestone, 2023-02-02, 0d

More information