QNAP fixes critical QVR remote command execution vulnerability


QNAP has released several security advisories today, including one for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company’s video surveillance solution hosted on a NAS device.

The QVR IP video surveillance system supports multi-channel feed and cross-platform video decoding and is designed for monitoring home and office environments.

The vulnerability is tracked as CVE-2022-27588 and has a critical severity score of 9.8. Affects QVR versions prior to 5.1.6 build 20220401.

QNAP’s advisory explains that “The vulnerability has been reported to affect QNAP VS-series NVR running QVR. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.”

This type of security flaw allows a threat actor to execute commands on the target to change settings, access sensitive information, or take control of the device. Depending on the context, it could also be used to go deeper into the network.

As we have seen in the past, critical vulnerabilities in QNAP systems are almost immediately exploited in cyberattacks when an exploit becomes public.

BleepingComputer has contacted QNAP to request information on whether CVE-2022-27588 is being actively exploited, and we will update the article with the company’s response.

Various QNAP fixes

In addition to the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings ranging from medium to high.

Here is the full list of fixes:

  • CVE-2022-27588: Critical Severity RCE in QNAP QVR
  • CVE-2021-38693: Medium severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44055 – Medium severity bug allowing remote access to data in some versions of Video Station.
  • CVE-2021-44056 – Medium severity bug allowing remote access to data in some versions of Video Station.
  • CVE-2021-44057: High severity vulnerability in QNAP NAS running Photo Station.
  • CVE-2021-44051 – High Severity Command Injection Flaw allowing arbitrary remote commands to be executed in QTS, QuTS hero and QuTScloud.
  • CVE-2021-44052 – High severity link resolution flaw allowing malicious file actions in QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44053: High severity cross-site scripting (XSS) flaw allowing remote code injection into QTS, QuTS hero, and QuTScloud.
  • CVE-2021-44054: High severity open redirect vulnerability allowing user to be redirected to a malware-containing page in QTS, QuTS hero, and QuTScloud.

For more information on the affected versions and those incorporating the security updates, click on the corresponding CVE numbers above.

At this time, QNAP has not provided mitigation guidance, so the recommended action is to update your software to the latest available version.