QNAP accidentally blocked users from accessing their NAS storages with QTS OS update

After QNAP released the operating system update QTS 5.2.2.2950 build 20241114 on November 19, complaints began to be received “from some users reporting problems with the functionality of the device after installation,” writes Ars Technica. The company said the update was retracted, after which it “conducted a full investigation” and re-released a corrected version “within 24 hours.”

According to QNAP, problems arose only in a limited list of NAS storage models of the TS-x53D and TS-x51 series, including TS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D and TS-451D2, but on The community forum writes about a wider list of company devices that have problems after updating the QTS OS.

Image source: QNAP

Problems include denying owners access as authorized users, difficulty downloading, and claims that Python is not installed to run some applications and services.

QNAP recommended that users experiencing issues either downgrade their devices (presumably to then upgrade again to the correct update) or contact support for assistance. As users report on forums and social networks, the company’s response does not correspond to the seriousness of losing access to the entire backup system.

The QTS update was aimed, in particular, at eliminating recently discovered security vulnerabilities in QNAP devices, which are often attacked by hackers. A serious vulnerability identified in February 2023 allowed remote SQL injections and potentially gaining administrative control of the device. It affected almost 30,000 QNAP devices, which was detected during a network scan.

Previously, DeadBolt, a ransomware group, infected thousands of QNAP devices, forcing the company to automatically send emergency updates even to customers with automatic updates turned off.

Security researchers from WatchTowr reported that they had discovered 15 vulnerabilities in QNAP’s operating systems and cloud services and notified the company about them. After QNAP failed to patch some of these vulnerabilities within a 90-day period, WatchTowr published its findings under the title “QNAPping at the Wheel.”