QNAP NAS storage owners – time to update your units

There is a security vulnerability that affects the QNAP NAS storage devices, and their QTS operating system. It has been fixed with a firmware update from QNAP in February, but the catch is — you need to manually install the update before it will fix things.
Because backup appliances work in the background, and we don’t have them in our faces (on our screens) like Windows and OSX, we don’t see nag notices reminding us to upgrade. But they are computers, inside, and their OS needs updating as well.

When I checked my NAS units, the firmware was at 2016 levels, that is not good. (Also, I forgot the Admin passwords to allow QFinder to actually let me upgrade.)

Here’s the steps to putting that right:
Use the QFinder Pro application ( https://www.qnap.com/en/utilities/essentials to install the latest version) to log into your QNAP device with your Administrative password.

QFinder Pro Screen

Oops. If you are like me, you set this up 4 years ago and have long since forgotten the password. No problem, since you are long overdue to change it anyway…

Locate the Reset button on the back panel of the QNAP, behind a small hole. (The location will vary with different models)

With the QNAP NAS running, using a pin or a very thin screwdriver (a Torx 5 for repairing iPhones turns out to be ideal) press this button down for three full seconds. Release when it beeps, or release after 4 seconds and it should beep once on release. This will reset the Admin password, WITHOUT destroying the shares and user access that you set up. If you hold the button down 10 seconds, then it will destroy your setup and make it difficult to get back at your data. https://www.qnap.com/en/how-to/knowledge-base/article/the-different-ways-of-resetting-your-nas-explained/

Next, after the QNAP has rebooted, use QFinder Pro to log on to the unit with the username “admin” and the password “admin”.

Note, if it persistently rejects your password: The QNAP application and Web interface both send passwords as clear text by default. If you have a security program, (Bitdefender in my case) it may block that as insecure, and you may have to create an exception in the security program to let it through.

Choose the name of your NAS in QFinder, choose Configuration, enter the username and password.
Now your first job before anything is to change that password to a secure one, because every hacker in the world knows they can access your machine with admin-admin.
In Configuration, choose the Password tab and enter the existing password, then your new password twice.

Then re-log onto the QNAP with your new, secure password (which you have safely recorded in your password manager for reference in 2024…).
Choose Login from QFinder Pro, which will launch your Web browser and then Login with admin and your new password.

Qnap login splash screen

In the web based interface, you’ll likely have several pop up windows offering Help, suggested Apps, etc. Politely decline these.

It may present a window saying that the Firmware needs updating, You can OK that one to start the process. If not, go to Control Panel, System area, Firmware Update icon

It will tell you the firmware that is ready to be downloaded and installed, just OK it and then be prepared to wait for 20 – 40 minutes as it downloads, installs and reboots the QNAP.

Once it has restarted, you are done. Well almost. In my case the firmware was old enough that it had to update to an intermediate version before it would install today’s version, that just meant another run through the Firmware Update cycle. The QFinder Pro interface will throw up a red flag after the Version number if there is another update needed.

This entry was posted in How-To, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.