Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Synology, QNAP, WD Warn Users About Vulnerabilities Exploited at Hacking Contest

Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

The vulnerabilities were disclosed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants earned more than $1 million for hacking routers, printers, smart spears, smartphones and network-attached storage (NAS) devices. The NAS exploits at Pwn2Own targeted WD devices, and they earned participants roughly $500,000.

It turns out that at least half a dozen of the NAS vulnerabilities exploited at Pwn2Own affected Netatalk, the open source Apple Filing Protocol (AFP) file server.

The flaws, many of which can be exploited remotely and without authentication for arbitrary code execution, can allow an attacker to take complete control of the targeted device.

Netatalk developers delivered patches for seven vulnerabilities on March 22 with the release of version 3.1.13. The flaws are tracked as CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.

However, the previous Netatalk update was released in December 2018 and many assumed the project was no longer maintained. This includes WD, which in January released firmware updates for its My Cloud storage devices to remove Netatalk. WD products use Netatalk to “access network shares and perform Time Machine backups.”

After Netatalk developers released the update that patches the vulnerabilities disclosed at Pwn2Own, QNAP determined that some of its own NAS products are also affected. The company informed customers on April 25 that it has already started releasing QTS operating system updates to address the security holes. In the meantime, customers have been advised to disable AFP.

Advertisement. Scroll to continue reading.

Synology has determined that the Netatalk vulnerabilities affect its DiskStation Manager (DSM) and Synology Router Manager (SRM) products. A patch is already available for DSM 7.1 and fixes are being developed for the other impacted products and versions.

ZDI published advisories for each of the Netatalk vulnerabilities disclosed at Pwn2Own on March 23.

While currently there do not appear to be any reports of attacks exploiting these vulnerabilities, it’s not uncommon for cybercriminals to target NAS devices, often delivering file-encrypting ransomware and instructing victims to pay a ransom to recover their files.

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Related: Deadbolt Ransomware Targeting Asustor NAS Devices

Related: QNAP Devices Targeted in New Wave of DeadBolt Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.