A high-severity command injection vulnerability exists in the control panel of multiple Thecus NAS products. This flaw allows an attacker who has valid user credentials to execute arbitrary commands on the device, potentially leading to a complete system takeover, data theft, or deployment of malware.

This is a post-authentication command injection vulnerability. An attacker with valid credentials for the NAS device's control panel can inject and execute arbitrary operating system commands. The vulnerability exists within the user management endpoints, meaning an attacker could craft a malicious request (e.g., when creating or modifying a user) that includes shell commands. The system fails to properly sanitize this input, executing the injected commands with the privileges of the web server process, which can lead to full control over the underlying operating system.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could result in a complete compromise of the NAS device, which often serves as a central file repository. Potential consequences include the exfiltration of sensitive corporate or personal data, data destruction or encryption via ransomware, and disruption of business operations that rely on the stored data. The compromised device could also be used as a pivot point to launch further attacks against other systems on the internal network, significantly expanding the scope of a breach.

Immediate Action: Apply the vendor-provided security updates to all affected Thecus NAS devices immediately. Prioritize patching for any devices with management interfaces exposed to the internet. After patching, review system and access logs for any unusual activity related to the user management functions that may indicate a prior compromise.

Proactive Monitoring: Implement enhanced monitoring of NAS device logs. Specifically, monitor web server access logs for suspicious requests to user management endpoints containing shell metacharacters (e.g., ;, |, &&, $()). Monitor for unusual outbound network traffic from the NAS, unexpected new processes, or the creation of unauthorized user accounts.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict network access to the NAS management interface to a limited set of trusted IP addresses.
• Ensure the management interface is not exposed to the public internet.
• Enforce strong, unique passwords and Multi-Factor Authentication (MFA) for all administrative and user accounts to make the required initial authentication more difficult for an attacker.
• Deploy a Web Application Firewall (WAF) with rules to detect and block command injection attempts.

Public Exploit Available: True

Given the high severity (CVSS 8.8) and the public availability of exploit code, this vulnerability poses a significant risk to the organization. We strongly recommend that the vendor-supplied patches be applied to all affected Thecus NAS devices as a critical priority. Until patching is complete, access to the device's management interface should be strictly controlled, and systems should be actively monitored for any signs of exploitation.