CVE-2023-23368 & CVE-2023-23369: Critical Command Injection Vulnerabilities in QNAP Products

Share :

On 4 November 2023, QNAP published security advisories for two critical command injection vulnerabilities impacting multiple versions of QNAP operating systems and applications related to the vendor’s network-attached storage (NAS) devices. Both vulnerabilities have been given critical CVSS scores (CVE-2023-23368: 9.8, CVE-2023-23369: 9.0) and both can lead to unauthenticated, remote threat actors executing commands if successfully exploited.  

At this time, Arctic Wolf has not identified any reports of active exploitation or publicly available proof of concepts. Historically, threat actors have targeted QNAP NAS products with multiple vulnerabilities being added to CISA’s Known Exploited Vulnerabilities Catalog after threat actors leveraged them to deploy ransomware. 

Recommendations for CVE-2023-23368 & CVE-2023-23369

Upgrade Vulnerable QNAP Products to Fixed Versions 

Arctic Wolf strongly recommends applying latest security updates to affected QNAP products.  

Product 

 

Affected Version 

 

CVE 

 

Fixed Version 

 

QTS  5.0.x  CVE-2023-23368  QTS 5.0.1.2376 build 20230421 and later 
4.5.x  CVE-2023-23368  QTS 4.5.4.2374 build 20230416 and later 
5.1.x  CVE-2023-23369  QTS 5.1.0.2399 build 20230515 and later 
4.3.6  CVE-2023-23369  QTS 4.3.6.2441 build 20230621 and later 
4.3.4  CVE-2023-23369  QTS 4.3.4.2451 build 20230621 and later 
4.3.3  CVE-2023-23369  QTS 4.3.3.2420 build 20230621 and later 
4.2.x  CVE-2023-23369  QTS 4.2.6 build 20230621 and later 
QuTS hero  h5.0.x  CVE-2023-23368  QuTS hero h5.0.1.2376 build 20230421 and later 
h4.5.x  CVE-2023-23368  QuTS hero h4.5.4.2374 build 20230417 and later 
QuTScloud  c5.0.x  CVE-2023-23368  QuTScloud c5.0.1.2374 and later 
Multimedia Console  2.1.x  CVE-2023-23369  Multimedia Console 2.1.2 (2023/05/04) and later 
1.4.x  CVE-2023-23369  Multimedia Console 1.4.8 (2023/05/05) and later 
Media Streaming add-on  500.1.x  CVE-2023-23369  Media Streaming add-on 500.1.1.2 (2023/06/12) and later 
500.0.x  CVE-2023-23369  Media Streaming add-on 500.0.0.11 (2023/06/16) and later 

 

Please follow your organisation’s patching and testing guidelines to avoid any operational impact. 

References 

  1. CVE-2023-23368 advisory
  2. CVE-2023-23369 advisory
James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories