Taiwanese network-attached storage (NAS) appliances maker QNAP released security updates to address a couple of security issues, one of which is a zero-day vulnerability discovered in November 2023.
The zero-day flaw, tracked as CVE-2023-50358, is an OS command injection issue in QTS and QuTScloud hero that can be used by a remote attacker to execute arbitrary shell commands on the system. The flaw was discovered by Palo Alto’s Unit42 in early November 2023.
“On Nov. 7, 2023, Unit 42 researchers were alerted of suspicious attack traffic targeted at QNAP devices. Further analysis revealed a new vulnerability related to (but not directly exploited by) the observed traffic,” the researchers said.
Unit42 said it identified 289,665 exposed devices, with Germany and the US accounting for the majority of them (42,535 and 36,865, respectively), followed by China, Italy, Japan, Taiwan, and France.
The second vulnerability addressed by QNAP is also an OS command injection issue, tracked as CVE-2023-47218. Currently, there’s no indication that this vulnerability is being exploited in the wild.