A major Taiwanese hardware manufacturer is urging customers to patch critical vulnerabilities in devices running QTS or QuTS Hero firmware.
Network Attached Storage (NAS) device maker QNAP said in an advisory yesterday that CVE-2022-27596 affects QTS 5.0.1 and QuTS hero h5.0.1.
“Exploiting this vulnerability could allow a remote attacker to inject malicious code,” warns in a brief advisory.
The vendor advised customers to upgrade their devices to:
- QTS 5.0.1.2234 build 20221201 or later
- QuTS Hero h5.0.1.2248 build 20221215 or newer
More information can be found in the National Vulnerability Database (NVD) entry for the vulnerability. It has a CVSS score of 9.8 and is described as a SQL injection vulnerability.
Customers are wise to follow QNAP’s advice, as QNAP’s devices have become a popular target for attackers in recent years.
In fact, the company’s NAS devices were targeted by Deadbolt ransomware variants throughout most of 2022. During that campaign, the group is believed to have exploited a zero-day vulnerability in his QNAP firmware to encrypt and extort customers around the world. It also tried to ransom QNAP by charging vendors over $1 million for master decryption keys and bug details.
QNAP’s customers are typically small businesses, schools, home office users, etc., and security and patching do not always follow best practices.
Customers can download the update from the Download Center on the QNAP website or log in to QTS or QuTS hero as an administrator and[コントロール パネル]>[システム]>[ファームウェア]Go to[ライブ アップデート]under the[更新を確認]to access.
