In a digital era where surveillance solutions play a pivotal role in our security infrastructure, the recent revelation of a critical vulnerability in QNAP’s VioStor Network Video Recorder (NVR) devices has sent shockwaves through the cybersecurity community. Discovered by the Akamai Security Intelligence Response Team (SIRT), this vulnerability, labeled CVE-2023-47565, has been actively exploited, posing a significant threat to network security.
With a concerning Common Vulnerability Scoring System (CVSS) v3 score of 8.0, CVE-2023-47565 exposes a glaring gap in the defenses of the QNAP VioStor NVR, renowned for its high-performance network surveillance capabilities, IP camera monitoring, video recording, playback, and remote data access.
At the heart of this vulnerability is its ability to allow an authenticated attacker to perform OS command injection. This is achieved through a payload delivered via a POST request to the management interface, exploiting the device’s default credentials—a vulnerability that was previously unknown and unreported.
The investigation initially began with the discovery of two zero-day vulnerabilities in the InfectedSlurs campaign. The link to a specific device or manufacturer was elusive until further analysis pinpointed the QNAP VioStor NVR devices as the primary targets. These devices, often shipped with weak default credentials outlined in their manuals, were susceptible to OS command injection vulnerabilities, particularly in their Network Time Protocol (NTP) settings.
Despite QNAP declaring these NVR devices as discontinued in terms of support, the recent discovery has prompted an urgent recommendation from the vendor to upgrade the firmware to the latest available version. While the issue had been patched previously, it was never publicly disclosed. QNAP also advises users to change default passwords on their devices to enhance security.
Recognizing the severity of this vulnerability, the United States Cybersecurity and Infrastructure Security Agency (CISA) took decisive action by adding CVE-2023-47565 to its ‘Known Exploited Vulnerabilities (KEV) Catalog’ on December 21. This inclusion serves as both a cautionary tale and a call to action for administrative agencies, urging them to take immediate steps to mitigate the potential risks posed by this exploit.
As the digital landscape evolves, so do the threats that permeate it. The discovery of CVE-2023-47565 underscores the critical importance of proactive cybersecurity measures, rapid response protocols, and collaborative efforts to ensure the resilience of our digital infrastructure in the face of ever-evolving cyber threats.
