Taiwanese firm QNAP has launched updates to remediate a crucial safety flaw affecting its network-attached storage (NAS) units that might result in arbitrary code injection.
Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a most of 10 on the CVSS scoring scale. It impacts QTS 5.0.1 and QuTS hero h5.0.1.
“If exploited, this vulnerability permits distant attackers to inject malicious code,” QNAP mentioned in an advisory launched Monday.
The precise technical specifics surrounding the flaw are unclear, however the NIST Nationwide Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability.
This implies an attacker might ship specifically crafted SQL queries such that they may very well be weaponized to bypass safety controls and entry or alter beneficial data.
“Simply as it could be doable to learn delicate data, additionally it is doable to make adjustments and even delete this data with a SQL injection assault,” in keeping with MITRE.
The vulnerability has been addressed in variations QTS 5.0.1.2234 construct 20221201 and later, in addition to QuTS hero h5.0.1.2248 construct 20221215 and later.
Zero-day vulnerabilities in uncovered QNAP home equipment have been put to make use of by DeadBolt ransomware actors to breach goal networks, making it important to replace to the newest model as a way to mitigate potential threats.
To use the updates, customers are suggested to log in to QTS or QuTS hero as an administrator, navigate to Management Panel > System > Firmware Replace, and choose “Test for Replace” underneath the “Stay Replace” part.
