This week, Qnap released an update for its QTS operating system, which powers the company's NAS. informing to fix two vulnerabilities related to command injection at once.
Although the developers have not yet disclosed many details about the problems found, it is reported that the bugs received the identifiers CVE-2020-2490 and CVE-2020-2492, and were fixed as part of QTS 18.104.22.1681 build 20200907…
It is not yet clear how exactly an attacker can exploit these bugs, and which OS components are vulnerable. It is only reported that these vulnerabilities can be exploited remotely, and given that both problems allow command injection, this could mean the possibility of completely hijacking the vulnerable device.
Let me remind you that this is already the third serious problem of Qnap devices in recent years. So, in September 2020, the developers eliminated two critical vulnerabilities in the Helpdesk application, reported that the company's NAS may be vulnerable to the Zerologon problem, in addition, in recent months, Qnap devices have been subjected to massive attacks by AgeLocker and Ch0raix ransomware. The latter, however, exploited old and well-known bugs.