Security ID : QSA-21-51
Command Injection Vulnerability in QVR
Release date : November 26, 2021
CVE identifier : CVE-2021-38685
Affected products: QNAP VS Series NVR
Severity
Critical
Status
Resolved
Summary
A command injection vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands.
We have already fixed the vulnerability in the following versions of QVR:
- QVR 5.1.6 build 20211109 and later
Recommendation
To secure your device, we strongly recommend updating your system to the latest version to benefit from vulnerability fixes.
Updating QVR
- Log on to QVR as administrator.
- Go to Control Panel > System Settings > Firmware Update.
- Select the Firmware Update tab.
- Click Browse... to upload the latest firmware file.
Tip: Download the latest firmware file for your specific device from https://www.qnapsecurity.com/n/en/product_x_down/. - Click Update System.
QVR installs the update.
Acknowledgements: JPCERT/CC and 00One, Inc.
Revision History:
V1.0 (November 26, 2021) - Published
V1.1 (December 20, 2021) - Modify Acknowledge as JPCERT/CC and 00One, Inc.