QNAP Fixes Several Flaws Related to Recent Security Update

QNAP, a leading provider of network-attached storage (NAS) devices and routers, has faced widespread criticism after a recent firmware update left many users unable to access their devices. The problematic update, QTS 5.2.2.2950 build 20241114, was released in mid-November to address multiple security vulnerabilities.

However, the update quickly caused major issues, including locking users out and breaking key system functionalities. The company responded by withdrawing the firmware within 24 hours and issuing a fixed version, but the incident has left users questioning the reliability of QNAP’s testing processes.

First noted by BleepingComputer, users reported that the firmware caused log-in errors, connectivity problems, and issues with essential applications like Malware Remover. Similar complaints were echoed on QNAP’s community forums, where affected users said downgrading to a previous version of the firmware was the only immediate solution.

The Register reported that some users also criticized QNAP’s lack of transparency by failing to identify affected models and its slow-to-respond customer support. One user commented, “I have raised this with QNAP, but so far, the devs/support are silent. Not even any guidance to any possible issues.”

Beyond the firmware issues, QNAP did address critical vulnerabilities in its devices. Among the most severe was an OS command injection flaw in QuRouter 2.4.x, identified as CVE-2024-48860, which allowed attackers to execute commands remotely. Other vulnerabilities included missing authentication checks in the Notes Station 3, enabling unauthorized access, and the possibility of server-side request forgery, which could expose sensitive data.

Similar concerns arose recently with Foxconn, another major Taiwanese company, when its subsidiary, Foxsemicon, fell victim to a LockBit ransomware attack. The incident exposed critical gaps in its cybersecurity protocols, emphasizing the growing necessity for robust defenses and proactive issue management in the tech industry.