March 30, 2023

QNAP Patches High-Severity Vulnerability Exists In The Wild

QNAP has issued a warning to consumers that some of its Network Attached Storage (NAS) devices are vulnerable to high-severity privilege escalation vulnerability.

The Vulnerability

• CVE-2023-22809 (CVSS 3.1 : 7.8, High-severity) – Privilage escalation vulnerability (sudoers policy bypass) in Sudo version 1.9.12p1.
  Successful exploitation on unpatched devices could enable attackers to escalate privileges by editing unauthorized files.

Affected Products

According Qnap, the vulnerability affects the following QNAP operating systems:

• QTS
• QuTS hero
• QuTScloud
• QVP (QVR Pro appliances)

Mitigation

CYREBRO recommends to update QNAP NAS devices to the latest firmware version.

References: QNAP Advisory