Quick Hits

Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter

QNAP NAS devices are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.


A critical security vulnerability in QNAP's QTS operating system for network-attached storage (NAS) devices could allow cyberattackers to inject malicious code into devices remotely, with no authentication required.

The issue (CVE-2022-27596) is a SQL injection problem that affects QNAP QTS devices running version 5.0.1, and Q,uTS Hero version h5.0.1. It carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale.

In its advisory this week, QNAP said the bug has a low attack complexity, which, when combined with the popularity of QNAP NAS as a target for Deadbolt ransomware and other threats, could make for imminent exploitation in the wild. 

"If the exploit is published and weaponized, it could spell trouble to...QNAP users," Censys researchers warned in an analysis of the bug. "Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns."

Since publication, QNAP updated its advisory to state the following: "QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.” Dark Reading had previously reported on an analysis from Censys that found there to be more than 30,000 hosts running a vulnerable version of the QNAP-based system. However, with the revision, that is no longer the case.

"With this new wording, the exposure is less extreme," according to Censys' revised blog post. "It narrows down the number of affected versions to just a very small number of devices."

This post was updated on Feb. 3 at 6 p.m. ET.