QTS, QuTS hero, QuTScloud

Vulnerability

CVE-2023-41281 is an OS command injection vulnerability in QNAP QTS 5.1.x, QuTS hero h5.1.x, and QuTScloud 5.x. The vulnerability exists in the operating system's handling of certain network requests, allowing an authenticated administrator to inject arbitrary OS commands. Affected versions include QTS 5.1.x (fixed in QTS 5.1.4.2596 build 20231128 and later), QuTS hero h5.1.x (fixed in QuTS hero h5.1.4.2596 build 20231128 and later), and QuTScloud c5.x (fixed in QuTScloud c5.1.5.2651 and later) [1].

Exploitation

An attacker must have authenticated access as an administrator to the QNAP device. The attacker crafts a malicious network request containing OS commands, which is processed by the vulnerable component without proper sanitization, resulting in command execution on the underlying system [1]. The exploitation vector is network-based and does not require any user interaction beyond the initial administrative login.

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary OS commands with the privileges of the affected process. This can lead to full compromise of the device, including unauthorized data access, modification, or disruption of services. The CVSS score reflects a high-severity impact on confidentiality, integrity, and availability [1].

Mitigation

QNAP has released fixed versions: QTS 5.1.4.2596 build 20231128 and later, QuTS hero h5.1.4.2596 build 20231128 and later, and QuTScloud c5.1.5.2651 and later [1]. Users should update their systems immediately via the Control Panel's Firmware Update or by downloading from the QNAP Download Center. No workarounds are mentioned, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.