Security News > 2023 > January > QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates
Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage devices that could lead to arbitrary code injection.
Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale.
"If exploited, this vulnerability allows remote attackers to inject malicious code," QNAP said in an advisory released Monday.
The exact technical specifics surrounding the flaw are unclear, but the NIST National Vulnerability Database has categorized it as an SQL injection vulnerability.
Zero-day vulnerabilities in exposed QNAP appliances have been put to use by DeadBolt ransomware actors to breach target networks, making it essential to update to the latest version in order to mitigate potential threats.
To apply the updates, users are advised to log in to QTS or QuTS hero as an administrator, navigate to Control Panel > System > Firmware Update, and select "Check for Update" under the "Live Update" section.
News URL
https://thehackernews.com/2023/01/qnap-fixes-critical-vulnerability-in.html
Related news
- Critical Acronis Cyber Infrastructure vulnerability exploited in the wild (CVE-2023-45249) (source)
- Download: CIS Critical Security Controls v8.1 (source)
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Food security: Accelerating national protections around critical infrastructure (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- QNAP adds NAS ransomware protection to latest QTS version (source)
- GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-30 | CVE-2022-27596 | SQL Injection vulnerability in Qnap QTS and Quts Hero A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. | 9.8 |