Jeff Luo

**Name of the Vulnerable Software and Affected Versions** PAN-OS (affected versions not specified) **Description** A memory corruption issue in PAN-OS software allows an unauthenticated attacker to crash the system due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode. The vulnerability is actively exploited in the wild. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 5.1.5.2645 build 20240116 QTS versions prior to 4.5.4.2627 build 20231225 QTS versions prior to 4.3.6.2665 build 20240131 QTS versions prior to 4.3.4.2675 build 20240131 QTS versions prior to 4.3.3.2644 build 20240131 QTS versions prior to 4.2.6 build 20240131 QuTS hero versions prior to h5.1.5.2647 build 20240118 QuTS hero versions prior to h4.5.4.2626 build 20231225 QuTScloud versions prior to c5.1.5.2651 **Description** An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Researchers detected vulnerable devices from 289,665 separate IP addresses. The vulnerability is related to the Quick.cgi file and can be exploited by sending a request to the "/cgi-bin/quick/quick.cgi" endpoint. The `todo` parameter, specifically the `set timeinfo` value, and the `SPECIFIC SERVER` variable are involved in the exploitation. The vulnerability allows an attacker to execute arbitrary commands, potentially leading to a remote code execution attack. **Recommendations** For QTS versions prior to 5.1.5.2645 build 20240116, update to QTS 5.1.5.2645 build 20240116 or later. For QTS versions prior to 4.5.4.2627 build 20231225, update to QTS 4.5.4.2627 build 20231225 or later. For QTS versions prior to 4.3.6.2665 build 20240131, update to QTS 4.3.6.2665 build 20240131 or later. For QTS versions prior to 4.3.4.2675 build 20240131, update to QTS 4.3.4.2675 build 20240131 or later. For QTS versions prior to 4.3.3.2644 build 20240131, update to QTS 4.3.3.2644 build 20240131 or later. For QTS versions prior to 4.2.6 build 20240131, update to QTS 4.2.6 build 20240131 or later. For QuTS hero versions prior to h5.1.5.2647 build 20240118, update to QuTS hero h5.1.5.2647 build 20240118 or later. For QuTS hero versions prior to h4.5.4.2626 build 20231225, update to QuTS hero h4.5.4.2626 build 20231225 or later. For QuTScloud versions prior to c5.1.5.2651, update to QuTScloud c5.1.5.2651 or later. As a temporary workaround, consider restricting access to the "/cgi-bin/quick/quick.cgi" endpoint until a patch is available. Avoid using the `todo` parameter with the `set timeinfo` value in the affected API endpoint until the issue is resolved.