Tim Herres

**Name of the Vulnerable Software and Affected Versions** QNAP VioStor NVR devices version 4.0.3 QNAP NAS with Surveillance Station Pro component (affected versions not specified) **Description** The issue concerns a hardcoded guest account in the affected devices, allowing remote attackers to gain web-server login access. **Recommendations** For QNAP VioStor NVR devices version 4.0.3, consider changing the default guest account credentials as a temporary workaround. For QNAP NAS with Surveillance Station Pro component, restrict access to the Surveillance Station Pro component until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QNAP VioStor NVR devices version 4.0.3 QNAP NAS (affected versions not specified), specifically in the Surveillance Station Pro component **Description** The issue allows remote authenticated users to execute arbitrary commands. This is achieved by leveraging guest access and placing shell metacharacters in the query string of the 'cgi-bin/pingping.cgi' endpoint. **Recommendations** For QNAP VioStor NVR devices version 4.0.3, update the firmware to a version that addresses this issue. For QNAP NAS with the Surveillance Station Pro component, restrict access to the 'cgi-bin/pingping.cgi' endpoint until a fix is available. As a temporary workaround, consider disabling guest access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QNAP VioStor NVR devices with firmware 4.0.3 **Description** A cross-site request forgery (CSRF) issue affects the cgi-bin/create user.cgi endpoint, allowing remote attackers to hijack administrator authentication for creating administrative accounts via a NEW USER action. **Recommendations** For QNAP VioStor NVR devices with firmware 4.0.3, consider disabling access to the cgi-bin/create user.cgi endpoint until a patch is available to prevent exploitation of the CSRF issue.