Security News > 2022 > June > Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

QNAP, Taiwanese maker of network-attached storage devices, on Wednesday said it's in the process of fixing a critical three-year-old PHP vulnerability that could be abused to achieve remote code execution.

"A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config," the hardware vendor said in an advisory.

"If exploited, the vulnerability allows attackers to gain remote code execution."

"As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state," the company said, adding it had already mitigated the issue in OS versions QTS 5.0.1.2034 build 20220515 and QuTS hero h5.0.0.2069 build 20220614.

The alert comes a week after QNAP revealed that it's "Thoroughly investigating" yet another wave of DeadBolt ransomware attacks targeting QNAP NAS devices running outdated versions of QTS 4.x. Besides urging customers to upgrade to the newest version of QTS or QuTS hero operating systems, it's also recommending that the devices are not exposed to the internet.

QNAP has advised customers who cannot locate the ransom note after upgrading the firmware to enter the received DeadBolt decryption key to reach out to QNAP Support for assistance.

News URL

https://thehackernews.com/2022/06/critical-php-vulnerability-exposes-qnap.html