Security Experts:

Connect with us

Hi, what are you looking for?



Synology, QNAP, WD Warn Users About Vulnerabilities Exploited at Hacking Contest

Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

Synology, QNAP and Western Digital (WD) have warned their customers about several critical Netatalk vulnerabilities that have been exploited at a recent hacking contest.

The vulnerabilities were disclosed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants earned more than $1 million for hacking routers, printers, smart spears, smartphones and network-attached storage (NAS) devices. The NAS exploits at Pwn2Own targeted WD devices, and they earned participants roughly $500,000.

It turns out that at least half a dozen of the NAS vulnerabilities exploited at Pwn2Own affected Netatalk, the open source Apple Filing Protocol (AFP) file server.

The flaws, many of which can be exploited remotely and without authentication for arbitrary code execution, can allow an attacker to take complete control of the targeted device.

Netatalk developers delivered patches for seven vulnerabilities on March 22 with the release of version 3.1.13. The flaws are tracked as CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.

However, the previous Netatalk update was released in December 2018 and many assumed the project was no longer maintained. This includes WD, which in January released firmware updates for its My Cloud storage devices to remove Netatalk. WD products use Netatalk to “access network shares and perform Time Machine backups.”

After Netatalk developers released the update that patches the vulnerabilities disclosed at Pwn2Own, QNAP determined that some of its own NAS products are also affected. The company informed customers on April 25 that it has already started releasing QTS operating system updates to address the security holes. In the meantime, customers have been advised to disable AFP.

Synology has determined that the Netatalk vulnerabilities affect its DiskStation Manager (DSM) and Synology Router Manager (SRM) products. A patch is already available for DSM 7.1 and fixes are being developed for the other impacted products and versions.

ZDI published advisories for each of the Netatalk vulnerabilities disclosed at Pwn2Own on March 23.

While currently there do not appear to be any reports of attacks exploiting these vulnerabilities, it’s not uncommon for cybercriminals to target NAS devices, often delivering file-encrypting ransomware and instructing victims to pay a ransom to recover their files.

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Related: Deadbolt Ransomware Targeting Asustor NAS Devices

Related: QNAP Devices Targeted in New Wave of DeadBolt Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.