QNAP has addressed 14 vulnerabilities across its QTS, QuTS hero, QuTS cloud, and QVP systems. The issues include command injection, credential theft, and denial-of-service bugs. Notably, some command injection vulnerabilities allow authenticated users to execute arbitrary commands, while others can be exploited without admin rights. The vulnerabilities expose sensitive data and operational issues, making targeted attacks on NAS devices a significant risk.
Patched versions include QTS 5.2.10, QuTS hero h5.2.9, QuTS cloud C5.2.9, and QVP 2.8.0. Users are advised to update their firmware to mitigate risks and limit access to the management interface.