Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks
On Tuesday, a Taiwanese security researcher published details about vulnerabilities within the firmware of Photo Station, a photo album app that is installed with all QNAP network-attached storage (NAS) devices. The researcher, Henry Huang, stated that the Photo Station app is currently installed on 80% of QNAP NAS systems or roughly 450,000 devices.
Huang states that all of these systems with Photo Station downloaded are vulnerable to remote takeover attacks through three separate vulnerabilities in QNAP devices. Huang claims that, when chained together, the bugs have the ability to bypass authentication, insert malicious code, and then install a web shell on unpatched QNAP devices.