NAS vendor QNAP warns of critical vulnerabilities in QTS OS

published: Nov. 6, 2023

Take action: If you are using QNAP devices, lock them from access to the public internet and patch as soon as possible


Learn More

QNAP Systems, a Taiwanese company that specializes in network-attached storage (NAS) appliances has addressed two critical security vulnerabilities in its network-attached storage (NAS) devices that could allow remote attackers to execute arbitrary commands through the network.

The vulnerabilities are tracked as

QNAP has provided updates to fix these vulnerabilities in multiple versions of their operating systems and applications:

  • For CVE-2023-23368
Affected Product Fixed Version
QTS 5.0.x QTS 5.0.1.2376 build 20230421 and later
QTS 4.5.x QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.x QuTS hero h5.0.1.2376 build 20230421 and later
QuTS hero h4.5.x QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.x QuTScloud c5.0.1.2374 and later
  • For CVE-2023-23369
Affected Product Fixed Version
QTS 5.1.x QTS 5.1.0.2399 build 20230515 and later
QTS 4.3.6 QTS 4.3.6.2441 build 20230621 and later
QTS 4.3.4 QTS 4.3.4.2451 build 20230621 and later
QTS 4.3.3 QTS 4.3.3.2420 build 20230621 and later
QTS 4.2.x QTS 4.2.6 build 20230621 and later
Multimedia Console 2.1.x Multimedia Console 2.1.2 (2023/05/04) and later
Multimedia Console 1.4.x Multimedia Console 1.4.8 (2023/05/05) and later
Media Streaming add-on 500.1.x Media Streaming add-on 500.1.1.2 (2023/06/12) and later
Media Streaming add-on 500.0.x Media Streaming add-on 500.0.0.11 (2023/06/16) and later

Administrators are advised to update their systems by navigating to the Firmware Update section in the Control Panel of their NAS device or by downloading the updates manually from QNAP's website. In the past QNAP devices were targeted by ransomware attacks, exploiting vulnerabilities to encrypt devices.

NAS vendor QNAP warns of critical vulnerabilities in QTS OS