Path Traversal Vulnerability in thttpd

Summary

A path traversal vulnerability in thttpd has been reported to affect QNAP devices running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to access and read sensitive data.

We have already fixed this vulnerability in the following versions of QTS, QuTS hero, and QuTScloud:

• QTS 5.0.0.1986 build 20220324 and later
• QTS 4.5.4.1991 build 20220329 and later
• QuTS hero h5.0.0.1949 build 20220215 and later
• QuTS hero h4.5.4.1951 build 20220218 and later
• QuTScloud c5.0.1.1949

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Updating QTS, QuTS hero, or QuTScloud

1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.