February 2, 2023

QNAP Patches Critical Vulnerability

QNAP has patched a critical vulnerability affecting its network-attached storage (NAS) devices which could allow to threat actor to perform remote code injection (RCE).

The Vulnerability

• CVE-2022-27596, (CVSS 3.1: 9.8, Critical) – SQL injection vulnerability which allows remote threat actor to inject malicious code and allow access to sensitive data, modify or delete it.

Affected Products

QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1.

Mitigation

CYREBRO recommends all clients to update their QNAP NAS devices to the latest versions:

• QTS 5.0.1.2234 build 20221201 and later
• QuTS hero h5.0.1.2248 build 20221215 and later

References: QNAP Security Advisory