A vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow local authenticated administrators to gain access to and execute certain functions via unspecified vectors.
We have already fixed the vulnerability in the following versions:
QTS 5.1.8.2823 build 20240712 and later
QuTS hero h5.1.8.2823 build 20240712 and later
This vulnerability allows remote attackers to execute arbitrary code on affected installations of QNAP TS-464 NAS devices. An attacker must first obtain the ability to make modifications to device configuration in order to exploit this vulnerability.
The specific flaw exists within the legacy_api endpoints. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of admin.