Taiwanese company QNAP has released an update to fix a critical security flaw affecting Network Attached Storage (NAS) devices that could lead to arbitrary code injection.
tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of 10 on the CVSS score scale. This affects QTS 5.0.1 and QuTS hero h5.0.1.
“Exploitation of this vulnerability allows remote attackers to inject malicious code,” QNAP said in an advisory released on Monday.
Although the exact technical details regarding this flaw are unknown, the NIST National Vulnerability Database (NVD) classifies it as a SQL injection vulnerability.
This means that an attacker can submit specially crafted SQL queries to weaponize, bypass security controls, and access or modify valuable information.
According to MITER, “Just as sensitive information can be read, it is also possible to modify or delete this information using SQL injection attacks.”
This vulnerability is addressed in versions QTS 18.104.22.1684 build 20221201 and later, and QuTS hero h22.214.171.1248 build 20221215 and later.
Publicly disclosed zero-day vulnerabilities in QNAP appliances have been leveraged by DeadBolt ransomware actors to infiltrate targeted networks, making it essential to update to the latest version to mitigate potential threats .
To apply the update, log in to QTS or QuTS hero as an administrator and click[コントロール パネル]>[システム]>[ファームウェアの更新]Go to[ライブ更新]in the section[更新の確認]is recommended.