Taiwan-based QNAP Systems has fixed a remote code execution (RCE) vulnerability that plagued an application that’s used by many of its Network-Attached Storage (NAS) devices.
According to an advisory issued by the company, it has patched a stack-based buffer overflow vulnerability in the Surveillance Station app.
“If exploited, this vulnerability allows attackers to execute arbitrary code”, QNAP said as it asked users of its NAS devices to update Surveillance Station to the latest version as soon as possible.
According to reports, exploiting the RCE vulnerability would also allow the perpetrators to subvert any security software or anti-malware scanners running on the compromised NAS device.
In addition to the critical RCE vulnerability, QNAP has also reportedly patched a medium severity cross-site scripting (XSS) vulnerability that plagued another of its widely used apps.
According to QNAP, if exploited, the XSS vulnerability in the Photo Station app, which is used for uploading and viewing images on to the NAS device, allowed remote attackers to inject malicious code.
QNAP has issued updates for both Surveillance Station and Photo Station apps to fix their respective vulnerabilities.
NAS devices are often targeted by threat actors since they are usually a treasure-trove of sensitive documents and files. QNAP has been at the receiving end of several malicious campaigns directed towards its devices, recently warning users about the Dovecat crypto mining malware that specifically hunted for Internet-exposed QNAP devices with weak passwords to use them for mining cryptocurrencies.