The QTS operating system of Qnap NAS devices is vulnerable due to two critical flaws. Qnap has released a patch that you should install immediately.

Qnap is warning customers about two critical vulnerabilities in its QTS operating system. QTS is the operating system for the manufacturer’s NAS devices and therefore manages large amounts of data. In addition, Qnap is regularly targeted by criminals who want to take customer data hostage or destroy it. The bugs in question, along with others, are very dangerous and carry a very high risk of exploitation.

Vulnerable software

The first bug is called CVE-2023-23368 and receives a score of 9.8. An attacker could remotely exploit this vulnerability to execute code themselves. CVE-2023-23369 has a similar effect, but is slightly less easy to exploit. However, this leak is also critical with a value of 9.0. The errors affect different versions of QTS as well as software such as the multimedia console. The following editions are vulnerable to the first error:

• QTS 5.0.x and QTS 4.5.x
• QTS hero h5.0.x and GTS hero 4.5.x
• QuTScloud c5.01

And secondly, the following software:

• QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3 and 4.2.x
• Multimedia Console 2.1.x and 1.4.x
• Media streaming add-on 500.1.x and 500.0.x

Fortunately, Qnap already provides patches. You will find this in the following versions of the affected software:

• QTS 5.0.1.2376 Build 20230421 and later
• QTS 4.5.4.2374 Build 20230416 and later
• QuTS hero h5.0.1.2376 Build 20230421 and above
• QuTS hero h4.5.4.2374 Build 20230417 and above
• QuTScloud c5.0.1.2374 and later
• QTS 5.1.0.2399 Build 20230515 and later
• QTS 4.3.6.2441 Build 20230621 and later
• QTS 4.3.4.2451 Build 20230621 and later
• QTS 4.3.3.2420 Build 20230621 and later
• QTS 4.2.6 Build 20230621 and later
• Multimedia Console 2.1.2 (05/04/2023) and higher
• Multimedia Console 1.4.8 (05/05/2023) and higher
• Media streaming add-on 500.1.1.2 (06/12/2023) and later
• Media streaming add-on 500.0.0.11 (06/16/2023) and later

Given the severity of the error, updating should be an absolute priority. This can be done for the operating system via Control Panel > System > Firmware Update. Click there Check for update below Live update, and install the latest version. If for some reason this does not work, Qnap also offers the option to manually download the latest version of the software via the website.

To update the multimedia console you need to go to the App Center Are. Click on it To updatewhen this button is visible. You can also update the media streaming add-on to the latest version.