- The operating systems for QNAP Network Attached Storage devices, QTS and QTS hero are found vulnerable.
- The vulnerability is a code injection flaw with a CVSS score of 9.8 and is remotely exploitable, which makes it highly dangerous.
- QNAP has already released patches for the vulnerability and strongly recommends keeping the devices up-to-day all the time.
Approximately five months after QNAP fixes a critical vulnerability that affects Photo Station, thus the NAS devices, the company releases another fix for a new vulnerability: CVE-2022-27596, a flaw which is fixed with the latest versions of QTS and QuTS hero operating system.
SQL injection flaw
CVE-2022-27596 is a critical SQL injection flaw with a CVSS score of 9.8, which affects QTS 5.0.1 and QuTS hero h5.0.1. The vulnerability allows attackers to inject malicious SQL code into the device.
According to the JSON file of the vulnerability that is attached to the advisory QNAP published, remotely exploiting this vulnerability requires a low skill and it does not require user interaction or any privileges, which makes it a dangerous vulnerability for the affected QNAP NAS (Network Attached Storage) devices.
The advisory that QNAP released indicates that the vulnerability is already patched with the updates; QTS 5.0.1.2234 build 20221201 and QuTS hero h5.0.1.2248 build 20221215 and their later versions are safe to use. QNAP strongly recommends updating to those versions and keeping the NAS devices all the time.
How to update QNAP NAS devices?
To patch your QNAP NAS devices with the aforementioned versions, you can follow the steps below:
- Log in to QTS or QuTS hero as an administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
- QTS or QuTS hero downloads and installs the latest available update.
It is also possible to perform a manual update by downloading the required files for your devices by following the link below: