CVE-2023-23368 & CVE-2023-23369: Critical Command Injection Vulnerabilities in QNAP Products
On November 4, 2023, QNAP published security advisories for two critical command injection vulnerabilities impacting multiple versions of QNAP operating systems and applications related to the vendor’s network-attached storage (NAS) devices. Both vulnerabilities have been given critical CVSS scores (CVE-2023-23368: 9.8, CVE-2023-23369: 9.0) and both can lead to unauthenticated, remote threat actors executing commands if successfully exploited.