QNAP Q’center Virtual Appliance Command Injection Vulnerability

A vulnerability in QNAP Q’center Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands on a targeted device.

The vulnerability is due to improper security restrictions imposed on the date configuration settings by the affected software. An attacker could exploit this vulnerability by using the passwd field to inject and execute arbitrary commands on an affected device. A successful exploit could be used to conduct further attacks.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

QNAP has confirmed the vulnerability and released software updates.

Security Impact Rating: High

CVE: CVE-2018-0709

Source:: Cisco Multivendor Vulnerability Alerts