Skip to content Blockchain and Web 3 , Infrastructure , Networking , Software Critical security flaws in QNAP’s NAS and router systems: What you need to know Muhammad Zulhusni December 10, 2024 Share this story: Tags: cybersecurity Network vulnerabilities Categories:: Blockchain and Web 3 Infrastructure Networking Software If you’re using QNAP’s Network Attached Storage (NAS) or QuRouter systems, it’s time to pay attention. Recent security advisories have uncovered critical vulnerabilities in these products, potentially giving attackers a way to execute arbitrary commands and compromise devices. QNAP is urging users to act quickly and update systems. According to CSO Online , the company—known for its network and software solutions and trusted by organisations such as Accenture, Cognizant, and Infosys—has identified several severe bugs in its NAS and router products. The vulnerabilities, which include flaws in OS command injection and missing authentication, pose serious risks to users. In a statement, QNAP addressed the matter, stating that “multiple vulnerabilities have been reported to affect Notes Station 3 and QuRouter.” The company has stressed the importance of using the latest updates to minimise risks. See also: Inside Microsoft’s security transformation: Nadella’s bold plan after year of breaches Why NAS and router security matters NAS systems and routers aren’t just gadgets—they’re the backbone of data storage and network management for businesses and individuals . NAS devices store critical files, enable secure file sharing, and keep organisations working smoothly. Routers form the mainstay of many infrastructures, directing packets to their eventual destinations. Unfortunately, the central roles both play makes them prime targets for hackers. NAS systems frequently house sensitive data such as patient records, proprietary business information, and academic research. Routers like QNAP’s QuRouter series, manage network traffic to ensure secure and efficient communication. If vulnerabilities in these types of device are exploited, attackers could gain unauthorised access, disrupt operations, or take control of networks. With the shift to remote work and the growing adoption of cloud computing, the stakes are high. The vulnerabilities in QNAP’s products underscore just how critical it is to update device software and firmware regularly and adopt proactive security practices . The real-world risks of these vulnerabilities The consequences of exploited vulnerabilities go beyond technical disruptions—they can affect business-critical operations. Attackers could gain access to confidential files stored on NAS systems, leading to data breaches that expose customer information or intellectual property. Operational downtime is another serious concern; compromised routers or NAS devices could leave businesses unable to access essential systems, resulting in significant financial losses. In addition, vulnerabilities like command injection flaws can enable hackers to install malware, manipulate device settings, lock out legitimate users, or use infected devices to ‘hop’ to even more sensitive targets. For QuRouter users, attackers could intercept or alter network traffic, potentially exposing sensitive communications or causing widespread disruption. Vulnerabilities in Notes Station 3 One of the identified flaws , tracked as CVE-2024-38643, is a missing authentication vulnerability in QNAP’s Notes Station 3. The flaw allows remote attackers to access systems without authorisation and has been rated a critical 9.8/10 on the CVSS scale. It affects Notes Station 3 versions 3.9.x, but QNAP has patched the problem in versions 3.9.7 and later. Vulnerability, CVE-2024-38645, is a server-side request forgery (SSRF) flaw. Once attackers gain access via the first flaw, they can exploit this issue to read sensitive application data. The rating is 9.4/10. A third issue, CVE-2024-38644, enables attackers to execute arbitrary commands on affected systems. While its CVSS rating is slightly lower at 8.8/10, when combined with the other two exploits, it significantly raises the risk of a full system takeover. QNAP has also reported vulnerabilities in its QuRouter devices. Critical flaw, CVE-2024-48860, is a command injection weakness that allows remote attackers to execute commands on the host system. This vulnerability has a severity rating of 9.8/10 and affects QuRouter versions 2.4.x, though it was resolved in version 2.4.3.106. Another issue, CVE-2024-48861, allows local attackers to execute commands and has been rated 7.8/10. See also: Has working from home killed the art of networking in tech? How users can protect themselves Users should ensure their firmware and software are always up to date, as installing the latest versions of software and firmware for NAS devices and routers is essential to mitigate known security risks. Adding two-factor authentication (2FA) provides an extra layer of protection, making it far m