QNAP addresses second zero-day vulnerability exploited at Pwn2Own contest

bleepingcomputer.com October 30, 2024, 08:01 PM UTC

QNAP has released security patches for a second zero-day vulnerability exploited at the Pwn2Own Ireland 2024 contest. This SQL injection flaw, tracked as CVE-2024-50387, affected the SMB Service and is fixed in versions 4.15.002 and later.

The vulnerability allowed a researcher to gain root access to a QNAP TS-464 NAS device. QNAP also patched another zero-day in its HBS 3 Hybrid Backup Sync solution, which was exploited to execute commands on the same device.

Typically, vendors take longer to release patches after Pwn2Own, but QNAP addressed these issues within a week. The quick response is notable given the history of cyberattacks targeting QNAP devices.


With a significance score of 2.8, this news ranks in the top 61% of today's 17719 analyzed articles.

Get summaries of news with significance over 5.5 (usually ~10 stories per week). Read by 8000 minimalists.