Headline
CVE-2022-27598: Security Advisories | QNAP
A vulnerability have been reported to affect multiple QNAP operating systems. If exploited, the vulnerability allow remote authenticated users to get secret values. The vulnerabilities affect the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerabilities in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later
Report Security Vulnerabilities of QNAP Products
We encourage developers and power users to report any potential or confirmed security vulnerabilities of QNAP products to the Security Response Team. Please use the below PGP encryption public key to encrypt your email message, and send it to [email protected].
Frequently-asked Questions
01
When should I email [email protected]?
- When you’ve found security vulnerabilities within QNAP products.
02
When should I not email [email protected]?
- Seeking technical assistances (for example, how to set up NAS, system update and RMA requests)
- Reporting vulnerabilities that are already known to the public (for example, vulnerabilities already listed in the Security Advisory)
- Seeking technical assistance for installing patches published in response to security vulnerabilities
- Reporting vulnerabilities of products from other vendors, or asking for information on vulnerabilities of products from other vendors
- Reporting security vulnerabilities found on websites other than qnap.com
- Seeking advice on issues unrelated to product security
- Reporting malware found on mobile devices
For the above conditions, you should contact the QNAP Technical Support Team. The Technical Support Team can be reached at https://service.qnap.com/. If deemed necessary by the Technical Support Team, the case will be referred to the Security Response Team.
03
What information should I send to [email protected]?
- To inform us of security vulnerabilities of QNAP products, please include as much information as possible, such as hardware model name, version of QTS/QES, the name and version of apps where vulnerabilities exist, a description of vulnerabilities and complete steps to reproduce the vulnerability. When contacting QNAP, it is recommended to use the PGP encryption public key provided on this page to ensure the integrity and confidentiality of the email.
04
After receiving my report, how will QNAP respond?
- The QNAP Security Response Team will thoroughly analyze and investigate received information. Once confirmed, QNAP will release a patch (Qfix) or an updated version of relevant software as necessary. A corresponding Security Advisory article will also be posted. We will never forward email correspondences or your email address to third parties. We also will not disclose any information that can be used to identify you, including your identity, your work, machines you use or configurations you deployed.
Note: To reduce the possibility of users being attacked by cybercrimes, QNAP will not announce in advance the existence of vulnerabilities before issuing patches or security advisories. Please follow QNAP’s recommendations to ensure the network security of the QNAP products you use. For the QNAP services you adopt, please do obtain the security patches and security advisories from the QNAP website and update the software regularly in a timely manner. QNAP also recommends that you subscribe to our security advisories to receive the latest product security news.
Related news
Multiple QNAP operating systems are affected, including QTS, QuTS hero, QuTScloud, and QVP Pro appliances, and some don't yet have patches available.