State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

High Severity Vulnerability in QNAP Devices

NJCCIC Advisory

Original Release Date: 11/13/2023

Summary

A critical severity vulnerability in several versions of the QNAP QTS operating system and applications could allow threat actors to execute commands. CVE-2023-23368 is a CVSSv3.1 9.8/10 flaw that can be exploited remotely by an unauthenticated threat actor without user interaction. Impacted QNAP versions include QTS 5.0.x, QTS 4.5.x, QuTS hero h5.0.x, QuTS hero h4.5.x, and QuTScloud c5.0.x. While no exploit or proof-of-concept code has been publicized, QNAP vulnerabilities have been widely used to facilitate ransomware attacks. There are approximately 390 public-facing QNAP QTS devices in New Jersey.

Recommendations

The NJCCIC highly recommends that QNAP administrators update impacted devices to the most current patch levels as soon as possible after appropriate testing and review the QNAP security advisory for additional information.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.