QNAP warns NAS users of high-severity vulnerability that could lead to code execution

Title : QNAP warns NAS users of high-severity vulnerability that could lead to code execution
Description : QNAP released a patch for a high-severity vulnerability in some of its network-attached storage devices that could allow an attacker to execute remote code on the targeted device. The vulnerability, identified as CVE-2019-11043, exists in PHP and the FastCGI Process Manager. An attacker could manipulate FPM to write data over an allocated buffer and open the door for remote code. This issue had been known for nearly three years, but only recently became realistic to exploit. The company recommends users update to the latest firmware for their storage box to fix this issue. QNAP devices have faced a stretch of cyber attacks, also recently being targeted by the Deadbolt ransomware gang.
References :

• https://www.tomshardware.com/news/qnap-php-vulnerability-patched
• https://www.qnap.com/en/security-advisory/QSA-22-20

Odd, Tom’s Hardware says high severity, the QNAP page says low severity. The exploit seems to require a quite specific configuration that is not default, and it seems to be a local exploit.

So yes, apply the updates diligently as always, but in most cases there seems to be no need to panic

I just send them as I see them…up to everyone to do their own research