The QNAP NAS firmware (QTS before version 4.1.1) has a extremely poor HTTP sessionid
generation function. The routine utilizes the current unix time as the random seed,
leading to predictable tokens.

Effectively the code found in libuLinux_nasauth.so.1.0 is:

#include <stdlib.h>
#include <time.h>

char *__get_unique_id(void)
{  
  static char buf[9];
  int i;

  srand(time(0));

  for (i = 0; i < 8; i++)
  {
    buf[i] = "abcdefghijklmnopqrstuvwxyz1234567890"[(int) (rand() * 36.0 / RAND_MAX)];
  }

  return buf;
}

See https://sintonen.fi/pics/qnap_weak_sessionid_generation.png for the ARM disassembly.

The issue has been fixed in QTS 4.1.1 and later. Users are recommended to upgrade to
the latest QTS version. Devices that are limited to only older QTS versions should not
be connected to internet, or the access to the administrative interface should be
limited by other means.