QNAP Systems Inc. has brought attention to a new critical vulnerability (CVE-2022-27596) that allows remote attackers to inject malicious code on certain QNAP network-attached storage (NAS) devices. QNAP itself has classified this bug with a CVSS base score of 9.8/10 and claimed it can be abused in low-complexity attacks by malicious actors.
The affected devices running QTS 5.0.1 and QuTS hero h5.0.1 should upgrade immediately to QTS 220.127.116.114 build 20221201 or later and QuTS hero h18.104.22.1688 build 20221215 or later, respectively, to secure the devices from any malicious attacks.
Steps to perform the update include:
- Log into the device as the admin user.
- Go to “Control Panel” > “System” > “Firmware Update.”
- Under the “Live Update” section, click the “Check for Update” option.
- Wait for the download and installation to complete.
Alternatively, QNAP device users can access and download the update from the Download Center (qnap.com/en/downloads) and enter their device details to manually apply the upgrade. It is important to update to the latest available software version as soon as possible since QNAP NAS devices have been a known target for ransomware attacks.
https://www.qnap.com/en-us/security-advisory/qsa-23-01 – QNAP Security Update
https://www.qnap.com/en/download – Download Center for QNAP