Fixes have been issued by QNAP for two critical command injection vulnerabilities affecting its network-attached storage devices, which could be leveraged to facilitate arbitrary code execution, reports The Hacker News.
QNAP QTS 4.5.x and 5.0.x, QuTS hero h4.5x and h5.0x, and QuTScloud c5.0x have been impacted by the first flaw, tracked as CVE-2023-23368, while the second bug, tracked as CVE-2023-23369, has affected QTS 4.2.x, 4.3.3, 4.3.4, 4.3.6, and 5.1.x, as well as Multimedia Console 1.4.x and 2.1.x, and Media Streaming add-on 500.0.x and 500.1.x, according to QNAP.
"If exploited, the vulnerability could allow remote attackers to execute commands via a network," said QNAP, which called on organizations using the vulnerable software versions to immediately apply the updates.
Such security updates have been released weeks after QNAP reported that it was able to disrupt a command-and-control server leveraged in brute-force attacks aimed at internet-facing NAS devices with poor password security measures.
Vulnerabilities impacting cloud analytics and business intelligence software Qlik Sense have been exploited to facilitate the deployment of CACTUS ransomware in a new campaign, The Hacker News reports.
Vulnerability management: Finding and fixing fatal flaws
Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow
Vulnerability management: Finding and fixing your fatal flaws
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news