QNAP addresses second zero-day vulnerability exploited at Pwn2Own contest
QNAP has released security patches for a second zero-day vulnerability exploited at the Pwn2Own Ireland 2024 contest. This SQL injection flaw, tracked as CVE-2024-50387, affected the SMB Service and is fixed in versions 4.15.002 and later.
The vulnerability allowed a researcher to gain root access to a QNAP TS-464 NAS device. QNAP also patched another zero-day in its HBS 3 Hybrid Backup Sync solution, which was exploited to execute commands on the same device.
Typically, vendors take longer to release patches after Pwn2Own, but QNAP addressed these issues within a week. The quick response is notable given the history of cyberattacks targeting QNAP devices.