Security
Headlines
HeadlinesLatestCVEs

Headline

Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter

Analysts find that 98% of QNAP NAS are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.

DARKReading
#sql#vulnerability#auth

A critical security vulnerability in QNAP’s QTS operating system for network-attached storage (NAS) devices could allow cyberattackers to inject malicious code into devices remotely, with no authentication required.

According to researchers from security firm Censys, more than 30,000 hosts are running a vulnerable version of the QNAP-based system as of press time, meaning that approximately 98% of these devices could be attacked.

The issue (CVE-2022-27596) is a SQL injection problem that affects QNAP QTS devices running versions below 5.0.1.2234, and QuTS Hero versions below h5.0.1.2248. It carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale.

In its advisory this week, QNAP said the bug has a low attack complexity, which, when combined with the popularity of QNAP NAS as a target for Deadbolt ransomware and other threats, could make for imminent exploitation in the wild. And unfortunately, according to Censys, it’s a target-rich environment out there.

“Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts,” the firm explained in a blog post on Feb. 1. “We found that of the 30,520 hosts with a version, only 557 were running [patched versions], meaning 29,968 hosts could be affected by this vulnerability.”

To protect themselves, companies should upgrade their devices to QTS version 5.0.1.2234 and QuTS Hero h5.0.1.2248.

“If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users,” Censys researchers warned. “Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns.”

Related news

QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection. Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1. "If exploited, this vulnerability allows remote attackers to inject

CVE-2022-27596: Vulnerability in QTS and QuTS hero - Security Advisory

A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later

DARKReading: Latest News

Microsoft Pulls Exchange Patches Amid Mail Flow Issues