QNAP, a leading provider of network-attached storage (NAS) solutions, has published a security advisory for a critical vulnerability in its NetBak PC Replicator software. This widely-used, license-free backup utility for Windows is affected by the flaw tracked as CVE-2024-21899. NetBak PC Replicator facilitates the backup of files, folders, and entire disk drives from a Windows PC to a QNAP NAS. The advisory calls for immediate user action to prevent potential exploitation.
Vulnerability Details: CVE-2024-21899
The critical vulnerability is rooted in an insecure component, Progress Telerik UI for ASP.NET AJAX, which is integrated into the NetBak PC Replicator application. Specifically, the flaw is a path traversal weakness that allows an unauthenticated remote attacker to bypass security checks and execute arbitrary code on the target system. QNAP has assigned this vulnerability a critical severity rating with a CVSS base score of 9.8 out of 10. The security firm Huntress is credited with the initial disclosure of the flaw in the Telerik component. All versions of QNAP NetBak PC Replicator up to and including 2.1.1 are confirmed to be vulnerable.
Mitigation and Software Update
To address this high-severity threat, QNAP has released NetBak PC Replicator version 2.1.2, which contains the necessary security patch. The company’s advisory urges all users to upgrade to this new version without delay. Users can verify their installed version by navigating to the “About” section within the application’s interface. The patched software is available for download directly from the QNAP website’s software store. The significance of CVE-2024-21899 is underscored by its addition to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, indicating that the flaw has been actively exploited in the wild in other software products.
Concise Cyber 