CVE-2023-47218

Name of the Vulnerable Software and Affected Versions QTS versions prior to 5.1.5.2645 build 20240116 QuTS hero versions prior to h5.1.5.2647 build 20240118 QuTScloud versions prior to c5.1.5.2651

Description An OS command injection vulnerability exists in QNAP operating system versions due to the lack of neutralization of special elements used in the operating system command. This vulnerability could allow a remote attacker to execute arbitrary commands via a network. The issue is related to the quick.cgi file, which is used to configure uninitialized systems. There have been attempts to exploit this vulnerability, with code execution attempts targeting the '/cgi-bin/quick/quick.cgi' endpoint.

Recommendations For QTS versions prior to 5.1.5.2645 build 20240116, update to QTS 5.1.5.2645 build 20240116 or later. For QuTS hero versions prior to h5.1.5.2647 build 20240118, update to QuTS hero h5.1.5.2647 build 20240118 or later. For QuTScloud versions prior to c5.1.5.2651, update to QuTScloud c5.1.5.2651 or later. As a temporary workaround, consider restricting access to the vulnerable quick.cgi file until a patch is applied. To mitigate the risk, upgrade the firmware through the Control Panel > System > Firmware Update.