Network-attached storage (NAS) device manufacturer QNAP is warning its customers that some NAS devices running vulnerable versions of the QTS operating system are exposed to attacks that exploit the ZeroLogon (CVE-2020-1472) vulnerability. QNAP stated that “If exploited, this elevation of privilege vulnerability allows remote attackers to bypass security measures via a compromised QTS device on the network. The NAS may be exposed to this vulnerability if users have configured the device as a domain controller in Control Panel > Network & File Services > Win/Mac/NFS > Microsoft Networking.” While NAS devices are not commonly used as a Windows domain controller, some companies may want to use this feature to allow IT personnel to manage user accounts, authentication, and to enforce domain security. Zerologon is a critical Windows vulnerability that allows attackers to gain administrator privileges and to take control of an entire domain. Earlier this month, Microsoft warned that both nation state-backed attackers and financially motivated criminals have already started using Zerologon in their attacks.