QNAP is warning customers to install QTS and QuTS firmware updates that address a critical security vulnerability that allows remote attackers to inject malicious code into QNAP NAS devices.
The vulnerability is identified as CVE-2022-27596 and classified by the company as “critical” (CVSS v3 score: 9.8), impacting QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system.
“A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code.” QNAP Security Notice.
The vendor did not disclose many details about the vulnerability or its potential for exploitation, but the NIST portal describes it as an SQL injection flaw.
SQL injection flaws allow attackers to send specially crafted queries to vulnerable devices to modify legitimate SQL queries to perform unexpected behavior.
Additionally, QNAP released a JSON file describing the severity of the vulnerability, indicating that it is exploitable in low complexity attacks by remote attackers, without requiring user interaction or privileges on the targeted device.
QNAP advises that users’ devices running on QTS and QuTS hero should be upgraded to the following versions to stay safe:
- QTS 188.8.131.524 build 20221201 and later
- QuTS hero h184.108.40.2068 build 20221215 and later
To perform the update, customers can log into their devices as an administrator user and navigate to “Control Panel → System → Firmware Update.”
Under the “Live update“, click the “Check for update” and wait for the download and installation to complete.
Alternatively, QNAP users can download the update from QNAP Download Center after selecting the correct product type and model and manually applying it on their devices.
QNAP’s review did not mark CVE-2022-27596 as actively exploited in the wild.
However, due to the severity of the flaw, users are recommended to apply available security updates as soon as possible, as threat actors are actively targeting QNAP vulnerabilities.
QNAP devices are already the target of ongoing ransomware campaigns known as Deadbolt and eCh0raixwhich are known to abuse vulnerabilities to encrypt data on exposed NAS devices.