CVE-2019-11043 is a critical, three-year-old PHP vulnerability that currently exposes QNAP NAS devices.
CVE-2019-11043 Technical Overview
The vulnerability affects PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. According to its technical profile, if exploited, the flaw allows attackers to perform remote code execution attacks.
QNAP has shared that CVE-2019-11043 affects the following operating system versions: QTS 5.0.x and later; QTS 4.5.x and later; QuTS hero h5.0.x and later; QuTS hero h4.5.x and later; QuTScloud c5.0.x and later. The issue has been fixed in QTS 184.108.40.2064 build 20220515 and later, and in QuTS hero h220.127.116.119 build 20220614 and later.
Earlier this year, QNAP devices were hit by a large-scale ransomware attack. Deadbolt ransomware was behind the attacks that compromised more than 3,600 QNAP network-attached storage (NAS) devices. As a result, all data located on the devices was encrypted.
According to the official QNAP statement, “DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom.”
To avoid any such attacks, the company is urging all its customers to follow its security setting instructions and immediately update QTS to the latest available version.