According to a current security advisory, network storage devices (NAS) from QNAP are subject to the critical security vulnerability CVE – 2020 – 1472 alias “Zerologon” vulnerable. The manufacturer has released security updates for its NAS operating system QTS and recommends installing them as soon as possible.

Zerologon was already in the course of the Microsoft patch day August this year became known. Microsoft removed the critical loophole that attackers could use to obtain domain admin rights from several Windows Server versions. Exploit code for Zerologon has been available since mid-September; A short time later, Microsoft warned of the first active attacks in the wild.

Last week, the FBI and CISA warned again of the danger in view of numerous still vulnerable systems:

NAS can be attacked with certain configuration QNAP NAS could be attacked via Zerologon, if they are via

Control Panel> Network & File Services> Win / Mac / NFS> Microsoft Networking have been set as the domain controller, it says in the current issue QNAP Advisory QSA – 20 – 07. The following versions of QTS are covered:

QTS 4.5.1. 1456 from build 20201015 QTS 4.4.3. 1439 from build 20200925 QTS 4.3.6. 1439 from build 20200929 QTS 4.3.4. 1463 from build 20201006 and QTS 4.3.3. 1432 from build 20201006. QTS 2.x and QES are not susceptible to Zerologon.

Update QTS To update QTS, log in as admin and switch to Control Panel> System> Firmware update. According to Advisories, “Live Update” offers the option “Check for Update”, which initiates the download and installation of the latest QTS version. Alternatively, you can go to Support> Download Cent