The devices have an SQL injection vulnerability that can easily be exploited remotely.
“Tens of thousands” of QNAP network-attached storage (NAS) devices are at risk, still waiting to be patched against a critical security flaw, according to a report in BleepingComputer.
The vulnerability is tracked as CVE-2022-27596 and rated by the company as ‘Critical’ (CVSS v3 score: 9.8), according to the report. This threat impacts QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system, QNAP says.
The threat is in the form of an SQL injection vulnerability which cybercriminals can exploit to alter the database of the QNAP device if its exposed to the internet and unpatched.
SQL injection flaws allow attackers to send specially crafted requests on vulnerable devices to modify legitimate SQL queries to perform unexpected behavior. For example adding users with administrative rights.
QNAP also released a JSON file describing the severity of the vulnerability, which indicates it is exploitable in low-complexity attacks by remote attackers, without requiring user interaction or privileges on the targeted device.
Patch your device by upgrading now
To secure these QNAP devices from attacks, the company recommends customers with impacted units (i.e., those running QTS 5.0.1 and QuTS hero h5.0.1) to upgrade immediately to QTS 5.0.1.2234 build 20221201 or later and QuTS hero h5.0.1.2248 build 20221215 or later.
Customers can log in as the admin user, go to “Control Panel → System → Firmware Update,” click the “Check for Update” option under the “Live Update” section and wait for the download and installation to complete.
So far, QNAP has not indicated that this flaw is being actively exploited in the wild. Nonetheless, customers are advised to update to the latest available software version as soon as possible. Time is of the essence here, as NAS devices are known for being targeted in ransomware attacks.
Besides updating the NAS unit immediately, customers should also consider not exposing it online to ensure that the QNAP device is not accessible via the Internet and thus susceptible to remote exploitation.
11 minutes ago
