Network Attached Storage (NAS) Vulnerability - 20240430002

Overview

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

What is vulnerable?

Product Affected	CVE	Severity	CVSS
QTS 5.x, QTS 4.5.x, QuTS hero h5.x, QuTS hero h4.5.x, QuTScloud c5.x, myQNAPcloud 1.0.x, myQNAPcloud Link 2.4.x	CVE-2024-32766	Critical	10.0

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices (refer Patch Management):

-QNAP Security Advisory

Additional References

• Penetration Testing | QNAP Vulnerability
• CVE-2024-32766 | Tenable®