Taiwanese firm QNAP has launched updates to remediate a vital safety flaw affecting its network-attached storage (NAS) units that would result in arbitrary code injection.
Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a most of 10 on the CVSS scoring scale. It impacts QTS 5.0.1 and QuTS hero h5.0.1.
“If exploited, this vulnerability permits distant attackers to inject malicious code,” QNAP stated in an advisory launched Monday.
The precise technical specifics surrounding the flaw are unclear, however the NIST Nationwide Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability.
This implies an attacker might ship specifically crafted SQL queries such that they could possibly be weaponized to bypass safety controls and entry or alter precious info.
“Simply as it could be attainable to learn delicate info, it is usually attainable to make adjustments and even delete this info with a SQL injection assault,” in keeping with MITRE.
The vulnerability has been addressed in variations QTS 5.0.1.2234 construct 20221201 and later, in addition to QuTS hero h5.0.1.2248 construct 20221215 and later.
Zero-day vulnerabilities in uncovered QNAP home equipment have been put to make use of by DeadBolt ransomware actors to breach goal networks, making it important to replace to the most recent model to be able to mitigate potential threats.
To use the updates, customers are suggested to log in to QTS or QuTS hero as an administrator, navigate to Management Panel > System > Firmware Replace, and choose “Examine for Replace” underneath the “Dwell Replace” part.
