Charlie Osborne May 21, 2021 at 14:26 UTC
Updated: July 02, 2021 at 12:04 UTC
In the event of exploitation, the security breaches allowed a pre-authenticated RCE
A chain of bug attacks leading to Remote Code Execution (RCE) on QNAP NAS devices has been resolved in QNAP’s MusicStation and Malware Remover software.
QNAP Music Station is a web application for managing music stored on a NAS device via the cloud, a technology installed on more than five million devices. Malware Remover is an ecosystem of antivirus applications designed to protect QNAP NAS products.
Keep up to date with the latest cybersecurity research news
In a safety notice As of May 19, researchers at Italian security consultancy Shielder revealed two vulnerabilities that could be chained to perform “pre-authentication remote root command execution” if exploited by attackers.
The first vulnerability, followed as CVE-2020-36197 and achieved a CVSS severity score of 7.1 is incorrect access control and arbitrary write security vulnerability in Music Station. The researchers found that the software’s album art download function (),, did not prevent the transfer of specially crafted malicious files.
When parsing the query parameter, the file is executed at the root level in the QTS file system.
Music Station versions prior to 5.3.16 (QTS 4.5.2), prior to 5.2.10 (QTS 4.3.6) 5.1.14 and below (QTS 4.3.3), versions prior to 5.3.16 (QuTS h4.5.2 ), and versions 5.3.16 and lower (QuTScloud c4.5.4) are all impacted.
The second vulnerability, followed as CVE-2020-36198, is a command injection bug that could allow attackers to execute arbitrary commands by abusing an automatic scanning mechanism.
The default application contains 19 modules which are mostly in pyc format, and one of these functions,, is vulnerable to command injection and arbitrary file writing to arbitrary file path – both of which can be abused to get RCE as root.
Malware Remover versions older than 126.96.36.199 are affected.
“By chaining the two problems together, it is possible to achieve pre-authentication remote code execution with root privileges on a remote QNAP NAS,” says Shielder.
The critical vulnerabilities were reported through Trend Micro’s Zero Day Initiative (ZDI) and the vendor was notified of the researchers’ findings in January 2021.
The daily sip has contacted QNAP for comment. We will update this story as we hear more.
RELATED QNAP fixes critical RCE vulnerabilities in NAS devices