QNAP: Patch Critical Remote Code Injection Bug

Written by

A leading Taiwanese hardware manufacturer is urging its customers to patch a critical vulnerability in devices running the QTS or QuTS hero firmware.

Network-attached storage (NAS) device maker QNAP said in the advisory yesterday that CVE-2022-27596 impacts QTS 5.0.1 and QuTS hero h5.0.1.

“If exploited, this vulnerability allows remote attackers to inject malicious code,” it warned in the brief advisory.

The vendor advised customers to upgrade their devices to:

  • QTS build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later

More detail can be found in the National Vulnerability Database (NVD) entry for the flaw, which displays a CVSS score of 9.8 and describes it as an SQL injection vulnerability.

Customers would be wise to follow QNAP’s advice, given that its devices have become a popular target for threat actors over recent years.

In fact, its NAS devices were targeted by the Deadbolt ransomware variant throughout most of 2022. During that campaign, it’s believed the group exploited a zero-day vulnerability in QNAP firmware to encrypt and extort customers around the globe. It also tried to hold QNAP to ransom by charging the vendor over $1m for the master decryption key and more details on the bug.

QNAP customers are usually small businesses, schools, home office users and similar whose security and patching may not always follow best practices.

Customers can download the update from the QNAP website, via its Download Center, or log-in to their QTS or QuTS hero as an administrator, visit Control Panel > System > Firmware and then “Check for Update” under “Live Update.”

What’s hot on Infosecurity Magazine?