Headline
CVE-2023-23370: Vulnerability in QVPN Device Client for Windows - Security Advisory
An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to gain access to user accounts and access sensitive data used by the user account via unspecified vectors.
We have already fixed the vulnerability in the following version: QVPN Windows 2.1.0.0518 and later
Security ID : QSA-23-36
Release date : October 7, 2023
CVE identifier : CVE-2023-23370
Affected products: QVPN Windows 2.1.x
Summary
An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client for Windows. If exploited, the vulnerability could allow a local authenticated administrator to gain access to user accounts and the sensitive data they use via unspecified vectors.
We have already fixed the vulnerability in the following version:
Affected Product
Fixed Version
QVPN Windows 2.1.x
QVPN Windows 2.1.0.0518 and later
Recommendation
To secure your device, we recommend regularly updating your QNAP utilities to the latest versions to benefit from vulnerability fixes. You can check the QNAP Utilities page to find the latest updates available for your device operating system.
Attachment
- CVE-2023-23370.json
Acknowledgements: Runzi Zhao, Security Researcher, QI-ANXIN
Revision History:
V1.0 (October 07, 2023) - Published