
As many as 29,000 network storage devices manufactured by Taiwan-based QNAP are vulnerable to an easy-to-perform hack that could give unauthenticated users on the internet complete control, security firm warns doing.
The vulnerability, which has a severity rating of 9.8 out of 10, was revealed on Monday when QNAP issued a patch and urged users to install it. This vulnerability, tracked as CVE-2022-27596, allows remote hackers to perform SQL injection. SQL injection is a type of attack that targets web applications that use Structured Query Language. The SQL injection vulnerability is exploited by entering specially crafted characters or script into the search field, login field, or URL of a buggy website. Injection allows for the modification, theft, or deletion of data, or gaining administrative control over systems running vulnerable apps.
QNAP’s advisory on Monday states that network-attached storage devices running QTS versions prior to 5.0.1.2234 and QuTS Hero versions prior to h5.0.1.2248 are vulnerable. The post also had instructions for updating to the patched version.
On Tuesday, security firm Censys reported that data collected from network scan searches showed as many as 29,000 QNAP devices may not have been patched for CVE-2022-27596. The researchers found that of his 30,520 internet-connected devices, only 557 of his (about 2%) were patched, although they showed a running version. discovered. Overall, Censys says he detected 67,415 of his QNAP devices. The 29,000 figure was extrapolated by applying a 2% patch rate to the total number of devices.
“Given that the Deadbolt ransomware was specifically designed to target QNAP NAS devices, if the exploit were made public, the same criminals could use it to spread the same ransomware again. Very high,” wrote the Censys researchers. “If the exploit were made public and weaponized, it could cause problems for thousands of her QNAP users.”
Censys officials said in an email that as of Wednesday, they had found 30,475 QNAP devices showing version numbers (45 fewer than Tuesday), of which 29,923 had versions vulnerable to CVE-2022-27596. Said it was running.
References to Deadbolt refer to a series of hacking campaigns over the past year that exploited previous vulnerabilities in QNAP devices to infect them with ransomware using that name. One of the latest campaign waves occurred in September and exploited CVE-2022-27593, a vulnerability in devices using a unique feature known as Photo Station. This vulnerability has been classified as External Control Reference to a resource in another realm.
According to Tuesday’s Censys report, the United States has the most devices vulnerable to CVE-2022-27596, followed by Italy and Taiwan.

Censys also provides a breakdown of:
| Country | total hosts | non-vulnerable host | vulnerable host |
| America | 3,271 | 122 | 3,149 |
| Italy | 3,239 | 39 | 3,200 |
| Taiwan | 1,951 people | 9 | 1,942 |
| Germany | 1,901 | 20 | 1,881 |
| Japan | 1,748 | 34 | 1,714 |
| France | 1,527 | 69 | 1,458 |
| Hong Kong | 1,425 | 3 | 1,422 |
| Korea | 1,313 | 2 | 1,311 |
| England | 1,167 | Ten | 1,157 |
| Poland | 1,001 | 17 | 984 |
In the past, QNAP has recommended that users follow all the steps below to reduce the chances of being hacked.
- Disable the port forwarding function of your router.
- Set up myQNAPcloud on your NAS to enable secure remote access and prevent internet exposure.
- Update the NAS firmware to the latest version.
- Update all applications on the NAS to the latest version.
- Enforce strong passwords for all user accounts on the NAS.
- Protect your data by creating snapshots and backing up regularly.
As reported by Bleeping Computer, QNAP devices have been successfully hacked over the years and infected with other ransomware strains including Muhstik, eCh0raix/QNAPCrypt, QSnatch, Agelocker, Qlocker, DeadBolt, and Checkmate. Users of these devices need to act now.