QNAP has unveiled two critical zero-day vulnerabilities present in its legacy model TS-231 network attached storage devices and a number of other non-legacy NAS hardware, according to Threatpost. The company said the bugs can be addressed immediately on its non-legacy NAS devices through patches, while a patch for the TS-231 model is scheduled for release over the next few weeks. The bugs, which are designated CVE-2020-2509 and CVE-2021-36195, enable threat actors to perform remote unauthenticated attacks and manipulate data stored on the affected devices. Researchers from SAM Seamless network disclosed the bugs to the public last Wednesday after notifying QNAP of them and providing a four-month grace period for the company to provide a fix. The researchers declined to make public the full technical details of the vulnerabilities due to the possibility of their causing severe harm to QNAP devices that are currently affected, which number in the tens of thousands.
Jill Aitoro is senior vice president of content strategy for CyberRisk Alliance. She has more than 20 years of experience editing and reporting on technology, business and policy. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.