QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerability allows a remote attacker to execute commands on a QNAP NAS using a transcoding service on port 9251. A remote user does not require any privileges to successfully execute an attack.
[
{
"product": "QTS Media Libary PRODUCT",
"vendor": "QNAP",
"versions": [
{
"status": "affected",
"version": "prior to 4.2.6 build 20170905"
},
{
"status": "affected",
"version": "prior to 4.3.3.0299 build 20170901"
}
]
}
]