{"id":55336,"date":"2024-02-14T15:00:51","date_gmt":"2024-02-14T15:00:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35531\/QNAP-Vulnerability-Disclosure-Ends-An-Utter-Shambles.html"},"modified":"2024-02-14T15:00:51","modified_gmt":"2024-02-14T15:00:51","slug":"qnap-vulnerability-disclosure-ends-an-utter-shambles","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/","title":{"rendered":"QNAP Vulnerability Disclosure Ends An Utter Shambles"},"content":{"rendered":"<p>Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.<\/p>\n<p>The Taiwanese company&#8217;s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.<\/p>\n<p>QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the <a target=\"_blank\" href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?name=CVE-2023-50358&amp;vector=AV:A\/AC:H\/PR:N\/UI:N\/S:C\/C:L\/I:L\/A:L&amp;version=3.1&amp;source=QNAP%20Systems,%20Inc.\" rel=\"nofollow noopener\">breakdown<\/a> of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Unit 42&#8217;s <a target=\"_blank\" href=\"https:\/\/unit42.paloaltonetworks.com\/qnap-qts-firmware-cve-2023-50358\/\" rel=\"nofollow noopener\">assessment<\/a>, on the other hand, was the polar opposite: &#8220;These remote code execution vulnerabilities affecting IoT devices exhibit a combination of low attack complexity and critical impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats is an urgent task.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>The German Federal Office for Information Security (BSI) also released an <a target=\"_blank\" href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Cybersicherheitswarnungen\/DE\/2024\/2024-213941-1032\" rel=\"nofollow noopener\">emergency alert<\/a> today warning that successful exploits could lead to &#8220;major damage,&#8221; encouraging users to apply patches quickly.<\/p>\n<p>At the time of writing, the National Vulnerability Database (NVD) is still working to assign the vulnerability an independent rating.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Typically, command injection vulnerabilities that are easy to exploit tend to attract <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/01\/08\/cvss_scoring_survey\/\" rel=\"noopener\">severity scores<\/a> at the higher end of the scale, so it will be interesting to see what the NVD&#8217;s score ends up being.<\/p>\n<p>According to Unit42&#8217;s internet scans of vulnerable devices carried out in mid-January,&nbsp;289,665 separate IP addresses registered a vulnerable, public-facing device.<\/p>\n<p>Germany and the US were the most exposed, with 42,535 and 36,865 vulnerable devices respectively, while China, Italy, Japan, Taiwan, and France trailed each with over 10,000 devices exposed.<\/p>\n<h3 class=\"crosshead\">Exploiting CVE-2023-50358<\/h3>\n<p>Unlike QNAP, Unit 42 published a technical breakdown of CVE-2023-50358 and how to exploit the vulnerability.<\/p>\n<p>It&#8217;s classed as a command injection flaw in the quick.cgi component of QNAP&#8217;s QTS firmware, which runs on most of its NAS devices.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;While setting the HTTP request parameter todo=set_timeinfo, the request handler in quick.cgi saves the value of the parameter SPECIFIC_SERVER into a configuration file \/tmp\/quick\/quick_tmp.conf with the entry name NTP Address,&#8221; the researchers explained.<\/p>\n<p>&#8220;After writing the NTP server address, the component starts time synchronization using the ntpdate utility. The command-line execution is built by reading the NTP Address in quick_tmp.conf, and this string is then executed using system().<\/p>\n<p>&#8220;Untrusted data from the SPECIFIC_SERVER parameter is therefore used to build a command line to be executed in the shell resulting in arbitrary command execution.&#8221;<\/p>\n<h3 class=\"crosshead\">Double up<\/h3>\n<p>QNAP&#8217;s advisory also detailed fixes for a second command injection flaw, CVE-2023-47218, which was reported by Stephen Fewer, principal security researcher at Rapid7, and has also been given the same 5.8 severity score.<\/p>\n<p>The advisory itself combines both vulnerabilities and provides technical details for neither, so it&#8217;s difficult to determine what the differences are from this alone.<\/p>\n<p>Rapid7&#8217;s <a target=\"_blank\" href=\"https:\/\/www.rapid7.com\/blog\/post\/2024\/02\/13\/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed\/\" rel=\"nofollow noopener\">advisory<\/a>, however, provides extensive detail on how CVE-2023-47218 also lies in the quick.cgi component, allowing for command injection, and how it can feasibly be exploited using a specially crafted HTTP POST request.<\/p>\n<p>Details of the disclosure timeline also offered a glimpse at what appears to be a slightly ticked-off Rapid7 after QNAP went silent and published its patches earlier than agreed.<\/p>\n<p>After agreeing to a coordinated disclosure date for the vulnerabilities of February 7 back in December, on January 25 QNAP told Rapid7 it had already pushed out the patches. This followed more than two weeks of radio silence from the NAS slinger after Rapid7 requested a progress update.<\/p>\n<p>QNAP also asked Rapid7 to delay the publication of its advisory to February 26, nearly three weeks after the original agreed date, which didn&#8217;t appear to have been received warmly.<\/p>\n<h3 class=\"crosshead\">So many patches<\/h3>\n<p>Rather than focusing on the technical details of the vulnerabilities, QNAP&#8217;s main focus with its disclosure appears to be highlighting the different patches available for different firmware versions. QTS, QuTS hero, and QuTAcloud are all impacted differently and each version has its own specific upgrade recommendation.<\/p>\n<div class=\"reg_tbl_container\">\n<table class=\"reg_tbl\">\n<tbody readability=\"26\">\n<tr>\n<td class=\"stripe\">Affected Product<\/td>\n<td class=\"stripe\">Severity<\/td>\n<td class=\"stripe\">Partially Fixed Version<\/td>\n<td class=\"stripe\">Fully Fixed Version<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 5.1.x<\/td>\n<td class=\"stripe\">Medium<\/td>\n<td>QTS 5.1.0.2444 build 20230629 and later<\/td>\n<td class=\"stripe\">QTS 5.1.5.2645 build 20240116 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 5.0.1<\/td>\n<td class=\"stripe\">Medium<\/td>\n<td>QTS 5.0.1.2145 build 20220903 and later<\/td>\n<td class=\"stripe\">QTS 5.1.5.2645 build 20240116 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 5.0.0<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QTS 5.0.0.1986 build 20220324 and later<\/td>\n<td class=\"stripe\">QTS 5.1.5.2645 build 20240116 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 4.5.x, 4,4,x<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QTS 4.5.4.2012 build 20220419 and later<\/td>\n<td class=\"stripe\">QTS 4.5.4.2627 build 20231225 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 4.3.6, 4.3.5<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QTS 4.3.6.2665 build 20240131 and later<\/td>\n<td class=\"stripe\">QTS 4.3.6.2665 build 20240131 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 4.3.4<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QTS 4.3.4.2675 build 20240131 and later<\/td>\n<td class=\"stripe\">QTS 4.3.4.2675 build 20240131 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 4.3.x<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QTS 4.3.3.2644 build 20240131 and later<\/td>\n<td class=\"stripe\">QTS 4.3.3.2644 build 20240131 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QTS 4.2.x<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QTS 4.2.6 build 20240131 and later<\/td>\n<td class=\"stripe\">QTS 4.2.6 build 20240131 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QuTS hero h5.1.x<\/td>\n<td class=\"stripe\">Medium<\/td>\n<td>QuTS hero h5.1.0.2466 build 20230721 and later<\/td>\n<td class=\"stripe\">QuTS hero h5.1.5.2647 build 20240118 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QuTS hero h5.0.1<\/td>\n<td class=\"stripe\">Medium<\/td>\n<td>QuTS hero h5.0.1.2192 build 20221020 and later<\/td>\n<td class=\"stripe\">QuTS hero h5.1.5.2647 build 20240118 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QuTS hero h5.0.0<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QuTS hero h5.0.0.1986 build 20220324 and later<\/td>\n<td class=\"stripe\">QuTS hero h5.1.5.2647 build 20240118 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QuTS hero h4.x<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QuTS hero h4.5.4.1991 build 20220330 and later<\/td>\n<td class=\"stripe\">QuTS hero h4.5.4.2626 build 20231225 and later<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>QuTScloud c5.x<\/td>\n<td class=\"stripe\">High<\/td>\n<td>QuTScloud c5.1.5.2651 and later<\/td>\n<td class=\"stripe\">QuTScloud c5.1.5.2651 and later<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>The general advice, as ever is to upgrade to the latest available version, although QNAP&#8217;s <a target=\"_blank\" href=\"https:\/\/www.qnap.com\/en\/security-advisory\/qsa-23-57\" rel=\"nofollow noopener\">advisory<\/a> also provides mitigation steps if upgrades can&#8217;t be applied immediately.<\/p>\n<p>Curiously, it also lists different firmware versions as being affected to different degrees, assigning different severity ratings for different firmware versions. The vendor doesn&#8217;t explain why this is the case.<\/p>\n<p>The vulnerabilities disclosed today are the latest in a fairly extensive line of command injection flaws to impact QTS and QuTS <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/04\/17\/opinion_column\/\" rel=\"noopener\">firmware<\/a>.&nbsp;<\/p>\n<p>In just this year alone, less than two months in, 15 different security advisories have been released to disclose 12 different command injection vulnerabilities impacting various devices. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35531\/QNAP-Vulnerability-Disclosure-Ends-An-Utter-Shambles.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[1011],"class_list":["post-55336","post","type-post","status-publish","format-standard","hentry","category-packet-storm","tag-headlineflawpatch"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>QNAP Vulnerability Disclosure Ends An Utter Shambles 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"QNAP Vulnerability Disclosure Ends An Utter Shambles 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-14T15:00:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"QNAP Vulnerability Disclosure Ends An Utter Shambles\",\"datePublished\":\"2024-02-14T15:00:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/\"},\"wordCount\":956,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"keywords\":[\"headline,flaw,patch\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/\",\"name\":\"QNAP Vulnerability Disclosure Ends An Utter Shambles 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-02-14T15:00:51+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/qnap-vulnerability-disclosure-ends-an-utter-shambles\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,flaw,patch\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlineflawpatch\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"QNAP Vulnerability Disclosure Ends An Utter Shambles\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"QNAP Vulnerability Disclosure Ends An Utter Shambles 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/","og_locale":"en_US","og_type":"article","og_title":"QNAP Vulnerability Disclosure Ends An Utter Shambles 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-02-14T15:00:51+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"QNAP Vulnerability Disclosure Ends An Utter Shambles","datePublished":"2024-02-14T15:00:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/"},"wordCount":956,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","keywords":["headline,flaw,patch"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/","url":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/","name":"QNAP Vulnerability Disclosure Ends An Utter Shambles 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-02-14T15:00:51+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zc4XJcd7lBxC679WvO27awAAAII&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/qnap-vulnerability-disclosure-ends-an-utter-shambles\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,flaw,patch","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlineflawpatch\/"},{"@type":"ListItem","position":3,"name":"QNAP Vulnerability Disclosure Ends An Utter Shambles"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55336"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55336\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}