OTPulse
FeedAboutContact

QNAP VioStor NVR

Act Now8ICS-CERT ICSA-23-355-02Dec 21, 2023
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

QNAP VioStor NVR devices running firmware version <4.x are vulnerable to remote code execution through manipulation of NTP settings. An attacker with network access and valid user credentials can execute arbitrary commands on the device. QNAP has confirmed that both QVR Firmware 4.x and 5.x versions are end-of-life and no patches will be released. This vulnerability is actively being exploited in the wild.

What this means
What could happen
An attacker could execute arbitrary commands on QNAP VioStor NVR devices by exploiting NTP settings, potentially allowing them to disable video recording, alter footage, or disrupt surveillance operations in critical infrastructure.
Who's at risk
Water utilities and municipal electric systems using QNAP VioStor NVR devices for video surveillance and security monitoring. Facilities that rely on continuous recorded footage for operational oversight, incident investigation, or regulatory compliance are most affected. End-of-life devices without vendor support pose the highest risk.
How it could be exploited
An attacker with local network access (AV:A) and valid user credentials (PR:L) can manipulate NTP settings on the VioStor NVR to trigger remote code execution. The attacker would access the device's configuration interface, modify NTP parameters, and execute malicious commands with device privileges.
Prerequisites
  • Local network access to the VioStor NVR device (not accessible from internet but must be on network)
  • Valid user account credentials to access device configuration
  • Low attack complexity—no special tools or conditions required beyond credentials
actively exploited (KEV confirmed)no patch available for affected firmware versionshigh EPSS score (85.9%)affects surveillance/safety infrastructurelow authentication complexity required (user credentials only)affects end-of-life products without vendor support
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
VioStor NVR QVR firmware: <4.x<4.xNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/4
HARDENINGImmediately isolate all QNAP VioStor NVR devices from internet-facing access and place behind firewall with restricted inbound rules
HARDENINGRestrict network access to VioStor NVR devices to only authorized engineering and operations personnel using firewall rules and VLAN segmentation
WORKAROUNDDisable or restrict NTP access on affected devices if functionality allows, or limit NTP queries to trusted internal time servers only
HARDENINGAudit and reset all user credentials on VioStor NVR devices; enforce strong passwords and disable default accounts
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGDeploy a VPN for any remote access to VioStor NVR management interfaces and ensure VPN software is kept current
HOTFIXEvaluate replacement of end-of-life VioStor NVR units with supported models running QVR firmware 5.x or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2e47e8ce-2c71-46ba-8f15-0e0ffd0cf359
QNAP VioStor NVR | CVSS 8 - OTPulse