QNAP Helpdesk Improper Access Control Vulnerability
QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information.
A remote attacker, without authentication, can achieve partial data exposure, partial data tampering, partial service disruption. Federal agencies are required to remediate by 2022-04-15 under CISA BOD 22-01.
This is a Software Vulnerability (CWE-284) (CWE-284) vulnerability in QNAP Systems Helpdesk. The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2022-03-25 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2022-04-15.
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References