QNAP fixes NAS backup software zero-day exploited at Pwn2Own

QNAP has fixed a critical zero-day vulnerability exploited by security researchers on Thursday to hack a TS-464 NAS device during the Pwn2Own Ireland 2024 competition.

Tracked as CVE-2024-50388, the security flaw is caused by an OS command injection weakness in HBS 3 Hybrid Backup Sync version 25.1.x, the company’s disaster recovery and data backup solution.

“An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands,” QNAP said in a Tuesday security advisory.

The zero-day was patched five days after enabling Ha The Long and Ha Anh Hoang of Viettel Cyber Security to execute arbitrary code and gain admin privileges on the third day of Pwn2Own Ireland 2024.

​However, after the Pwn2Own contest, vendors usually take their time to release security patches, seeing that they’re given 90 days until Trend Micro’s Zero Day Initiative publishes details on security bugs demoed and disclosed during the contest. Read the full story.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.