Security News > 2023 > January > Over 29,000 QNAP devices vulnerable to code injection attacks
Remote threat actors can exploit this SQL injection vulnerability to inject malicious code in attacks targeting Internet-exposed and unpatched QNAP devices.
While QNAP hasn't tagged this flaw as being actively exploited in the wild, customers are advised to update to the latest available software version as soon as possible since NAS devices have a long history of being targeted in ransomware attacks.
One day after QNAP released security updates to address this critical vulnerability, Censys security researchers published a report revealing that just over 550 out of more than 60,000 QNAP NAS devices they found online were patched.
"Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts. But, if the advisory is correct, over 98% of identified QNAP devices would be vulnerable to this attack," senior security researcher Mark Ellzey said.
Luckily, since this flaw is not yet abused in the wild and proof-of-concept exploit code hasn't yet surfaced online, there's yet time to patch these vulnerable NAS devices and secure them from attacks.
"If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users. Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns," Ellzey added.