An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
Credits
Chad Seaman and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA
