SC Media reports that updates have been released by QNAP to fix a half-dozen open-source Rsync software vulnerabilities impacting its widely-used HBS 3 Hybrid Backup Sync 25.1.x network-attached storage (NAS) devices.
Billy Hoffman, Field CTO at Ionix, said the six flaws could be chained to facilitate remote command execution and arbitrary file read/write.
Immediate application of the latest HBS version has been recommended by QNAP, which accounts for almost a quarter of the NAS market.
Both Trey Ford, chief information security officer at Bugcrowd, and John Gallagher, vice president at Viakoo Labs, also stressed the importance of promptly remediating the flaws, with Gallagher noting a Censys study from 2023 detailing severely lacking patching practices for QNAP NAS devices.
"Remote code execution and remote system compromise is as serious as it gets," said Gallagher. "Because of the inherent connectivity they have, cloud-based sync and internal sync, they can be exploited," explained Gallagher, who also urged the implementation of IoT/OT asset discovery systems among NAS users.