Nine security flaws impacting QNAP NAS devices, one of which is critical and could be abused to facilitate system takeovers, have been patched, according to The Hacker News. Threat actors could exploit the critical vulnerability, tracked as CVE-2022-27588, impacting QNAP VS Series NVR running QVR to enable execution of arbitrary commands, said QNAP, which has already fixed the bug in QVR 5.1.6 build 20220401 and later. Three other high-severity and five medium-severity flaws have also been addressed, including a thttpd path traversal flaw, tracked as CVE-2021-38693, impacting QNAP devices on QTS, QVR Pro Appliance, QuTS hero, and QuTScloud; a command injection flaw, tracked as CVE-2021-44051, found in QNAP QTS, QuTScloud, and QuTS hero devices; a pre-file access improper link resolution bug, tracked as CVE-2021-44052, found in QNAP QTS, QuTScloud, and QuTS hero; a cross-site scripting bug, tracked as CVE-2021-44053, impacting QNAP QTS, QuTS hero, and QuTScloud; and an open redirect flaw, tracked as CVE-2021-44054, impacting QNAP QTS, QuTS hero, and QuTScloud; as well as improper authentication flaws, tracked as CVE-2021-44056 and 2021-44057, which affect QNAP devices on Video Station and Photo Station, respectively.