QNAP warns of vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, that could allow attackers to access devices.
The Taiwanese Network Attached Storage (NAS) device maker disclosed three vulnerabilities that can lead to an authentication bypass, command injection, and SQL injection.
While the last two require the attackers to be authenticated on the target system, which significantly lessens the risk, the first (CVE-2024-21899) can be executed remotely without authentication and is marked as "low complexity."
https://www.bleepingcomputer.com/news/s ... as-devices