CVE-2021-28804
📋 TL;DR
This CVE-2021-28804 is a critical command injection vulnerability in QNAP QTS and QuTS hero operating systems that allows attackers to execute arbitrary commands on affected devices. Attackers can potentially gain full control of compromised systems. This affects QNAP NAS devices running vulnerable versions of QTS or QuTS hero.
💻 Affected Systems
- QNAP QTS
- QNAP QuTS hero
📦 What is this software?
Qts by Qnap
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with root privileges, install malware, exfiltrate data, or use the device as a pivot point into the network.
Likely Case
Remote code execution leading to ransomware deployment, data theft, or cryptocurrency mining malware installation on vulnerable QNAP devices.
If Mitigated
Limited impact if devices are patched, behind firewalls, and have restricted network access, though the vulnerability remains critical if exposed.
🎯 Exploit Status
This vulnerability has been actively exploited in the wild. Exploitation requires no authentication and is relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QTS 4.5.1.1540 build 20210107 or later; QuTS hero h4.5.1.1582 build 20210217 or later
Vendor Advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-21-29
Restart Required: Yes
Instructions:
1. Log into QNAP device web interface. 2. Go to Control Panel > System > Firmware Update. 3. Check for updates and install latest firmware. 4. Reboot device after update completes.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to QNAP devices to only trusted IP addresses
Configure firewall rules to block all external access to QNAP management ports (typically 8080, 443)
Disable Unnecessary Services
allTurn off any unnecessary services and applications on QNAP devices
Disable SSH, Telnet, and other remote access services if not needed
🧯 If You Can't Patch
- Immediately isolate affected devices from the internet and restrict network access
- Implement strict network segmentation and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check firmware version in QTS/QuTS hero web interface under Control Panel > System > Firmware UpdateCheck Version:
ssh admin@qnap-ip 'cat /etc/config/uLinux.conf | grep version' or check web interfaceVerify Fix Applied:
Verify firmware version is QTS 4.5.1.1540 build 20210107 or later, or QuTS hero h4.5.1.1582 build 20210217 or later📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Suspicious process creation
- Failed authentication attempts followed by successful command execution
Network Indicators:
- Unusual outbound connections from QNAP devices
- Traffic to known malicious IPs
- Unexpected port scanning from QNAP devices
SIEM Query:
source="qnap_logs" AND ("command injection" OR "unauthorized command" OR suspicious_process="*sh" OR suspicious_process="*bash")