CVE-2021-28802
📋 TL;DR
This CVE-2021-28802 is a critical command injection vulnerability in QNAP QTS and QuTS hero operating systems that allows attackers to execute arbitrary commands on affected devices. Attackers could potentially take full control of vulnerable QNAP NAS devices. This affects QNAP QTS versions before 4.5.1.1540 and QuTS hero versions before h4.5.1.1582.
💻 Affected Systems
- QNAP QTS
- QNAP QuTS hero
📦 What is this software?
Qts by Qnap
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with root privileges, potentially leading to data theft, ransomware deployment, or use as a foothold for lateral movement.
Likely Case
Remote code execution leading to unauthorized access, data exfiltration, or installation of malware/backdoors on vulnerable QNAP devices.
If Mitigated
Limited impact if devices are behind firewalls, not internet-facing, and have network segmentation preventing lateral movement.
🎯 Exploit Status
This vulnerability has been actively exploited in the wild. Exploitation requires no authentication and is relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QTS 4.5.1.1540 or later; QuTS hero h4.5.1.1582 or later
Vendor Advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-21-29
Restart Required: Yes
Instructions:
1. Log into QNAP device admin interface. 2. Go to Control Panel > System > Firmware Update. 3. Check for updates and install QTS 4.5.1.1540+ or QuTS hero h4.5.1.1582+. 4. Reboot the device after update completes.
🔧 Temporary Workarounds
Disable SSH/Telnet access
allDisable remote SSH/Telnet access to reduce attack surface
Go to Control Panel > Network & File Services > Telnet/SSH > Uncheck 'Enable Telnet service' and 'Enable SSH service'
Restrict network access
allConfigure firewall rules to restrict access to QNAP management interfaces
Go to Control Panel > Security > Firewall > Create rules to allow only trusted IPs to access management ports
🧯 If You Can't Patch
- Isolate affected QNAP devices from internet and untrusted networks using firewall rules
- Implement network segmentation to limit lateral movement potential if device is compromised
🔍 How to Verify
Check if Vulnerable:
Check QTS/QuTS hero version in Control Panel > System > Firmware Update. If version is below QTS 4.5.1.1540 or QuTS hero h4.5.1.1582, device is vulnerable.Check Version:
ssh admin@qnap-ip 'cat /etc/config/uLinux.conf | grep version' or check via web interfaceVerify Fix Applied:
After updating, verify version shows QTS 4.5.1.1540+ or QuTS hero h4.5.1.1582+ in Control Panel > System > Firmware Update.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Suspicious process creation from web services
- Unexpected SSH/Telnet connections
Network Indicators:
- Unusual outbound connections from QNAP device
- Traffic to known malicious IPs
- Unexpected port scans originating from device
SIEM Query:
source="qnap_logs" AND (event="command_execution" OR process="unusual_process") OR dest_ip IN (malicious_ip_list)