Millions of QNAP devices are exposed to a critical PHP vulnerability three years ago


QNAP, a Taiwanese NAS manufacturing company, said it is actively working to fix a critical PHP vulnerability three years ago that can be used for remote code execution. The vulnerability affects PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 with an incorrect nginx configuration. Tracked as CVE-2019-11043 (a score of 9.8 out of 10 on the CVSS scale), the error can only be used when nginx and php-fpm are running on a QNAP OS device.

According to the company’s representatives, QNAP NAS are not vulnerable to vulnerabilities in the standard configuration, since nginx is not preinstalled in them. In addition, the vulnerability has been fixed for QTS OS build 20220515 and QuTS hero h5.0.0.2069 build 20220614. It is worth noting that the following OS versions from QNAP are still vulnerable:

  • QTS 5.0.x and higher;

  • QTS 4.5.x and higher;

  • QuTS hero h5.0.x and higher;

  • QuTS hero h4.5.x and higher;

  • QuTScloud c5.0.x and higher.

The company issued a warning a week after notifying users of a new wave of DeadBolt ransomware attacks and faced another attack by the ech0raix malware.

Start a discussion …