Security News > 2023 > January > Critical QNAP NAS vulnerability fixed, update your device ASAP! (CVE-2022-27596)
QNAP Systems has fixed a critical vulnerability affecting QNAP network-attached storage devices, which could be exploited by remote attackers to inject malicious code into a vulnerable system.
Luckily for QNAP NAS owners, there's no mention of it being exploited by attackers or an exploit being publicly available.
QNAP's advisory does not offer more details about CVE-2022-27596, but the vulnerability entry in NIST's National Vulnerability Database reveals that the flaw may allow attackers to execute an SQL injection attack, due to "Improper neutralization of special elements used in an SQL command."
The vulnerability affects QNAP devices running version 5.0.1 of the QTS operating system for entry- and mid-level QNAP NAS devices and versions h5.0.1 of QuTS hero, the OS for high-end and enterprise QNAP NAS models.
QNAP NAS devices are often targeted by threat actors wielding different flavors of ransomware.
No workarounds for this flaw are available and QNAP advises users to update their appliances immediately.
News URL
https://www.helpnetsecurity.com/2023/01/31/cve-2022-27596/
Related news
- QNAP warns of critical auth bypass flaw in its NAS devices (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-30 | CVE-2022-27596 | SQL Injection vulnerability in Qnap QTS and Quts Hero A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. | 9.8 |