Taiwanese company QNAP has released an update to fix a critical security flaw affecting network-attached storage (NAS) devices that could lead to arbitrary code injection.
tracked as CVE-2022-27596, the vulnerability has a maximum score of 9.8 out of 10 on the CVSS scoring scale. Affects QTS 5.0.1 and QuTS hero h5.0.1.
“Exploiting this vulnerability could allow a remote attacker to inject malicious code,” QNAP said in an advisory issued Monday.
The exact technical details surrounding this flaw are unclear, but the NIST National Vulnerability Database (NVD) has classified it as a SQL injection vulnerability.
This means that attackers can send specially crafted SQL queries to bypass security controls and access or alter valuable information.
According to MITRE, “As sensitive information can be read, a SQL injection attack may alter or delete this information.”
This vulnerability is addressed in version QTS 188.8.131.524 build 20221201 or higher and QuTS hero h184.108.40.2068 build 20221215 or higher.
Zero-day vulnerabilities in exposed QNAP appliances have been used by DeadBolt ransomware actors to compromise targeted networks, making it essential to update to the latest version to mitigate potential threats.
To apply updates, it is recommended to log in to QTS or QuTS hero as an administrator, go to Control Panel > System > Firmware Update, and select “Check for Updates” in the “Live Update” section.