Security ID : QSA-23-04
Vulnerability in QVPN Device Client for Windows
Release date : July 28, 2023
CVE identifier : CVE-2022-27595
Affected products: QVPN Device Client for Windows
Severity
High
Status
Resolved
Summary
An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows. If exploited, this vulnerability allows local authenticated users to execute code through insecure library loading.
We have already fixed the vulnerability in the following versions:
- QVPN Device Client for Windows, version 2.0.0.1316 and later
QVPN Device Client for macOS, Android, and iOS are not affected.
Recommendation
To secure your device, we recommend regularly updating your QNAP utilities to the latest versions to benefit from vulnerability fixes. You can check the QNAP Utilities page to see the latest updates available to your device operating system.
Attachment
Acknowledgements: Runzi Zhao, Security Researcher, QI-ANXIN
Revision History:
V1.0 (July 28, 2023) - Published