QNAP Systems, Inc., a Taiwanese corporation that specializes in Network-attached storage (NAS) appliances has fixed two critical-severity vulnerabilities affecting its QVR Video surveillance solution. When abused, these issues could perform arbitrary commands.
What Is QVR?
As advertised by QNAP, the QVR Pro Appliance is a SMB-grade, tower-based network surveillance server that supports high-quality real-time video/audio monitoring, megapixel recording, and playback from multiple IP cameras in order to protect your valuable possessions.
Yesterday, the Taiwan-based company announced that it had patched up three command injection flaws impacting its QVR software for managing video monitoring. According to BleepingComputer, two out of three received a critical severity score of 9.8 out of 10.
The two vulnerabilities are tracked as CVE-2021-34351 and CVE-2021-34348, and according to experts, when exploited could enable a remote cybercriminal to perform commands on exposed systems. This way, an attacker could gain complete control of the device.
QNAP Fixes Another Vulnerability
CVE-2021-34349 is another security vulnerability from the same class that QNAP has also patched up. The third flaw they fixed has a lower severity score than the first two, with a 7.2 out of 10.
As mentioned by BleepingComputer, in order to exploit the critical vulnerabilities