QNAP fixes critical bug letting hackers inject malicious code

QNAP is warning customers to install QTS and QuTS firmware updates that fix a critical security vulnerability allowing remote attackers to inject malicious code on QNAP NAS devices.

The vulnerability is tracked as CVE-2022-27596 and rated by the company as ‘Critical’ (CVSS v3 score: 9.8), impacting QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system.

“A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code,’ warns the .

The vendor hasn’t disclosed many details about the vulnerability or its exploitation potential, but  describes it as a SQL injection flaw.

SQL injection flaws allow attackers to send specially crafted requests on vulnerable devices to modify legitimate SQL queries to perform unexpected behavior.

Furthermore, QNAP released a JSON file describing the severity of the vulnerability, which indicates it is exploitable in low-complexity attacks by remote attackers, without requiring user interaction or privileges on the targeted device.

QNAP says users’ devices running on QTS and QuTS hero should upgrade to the following versions to remain safe:

  • QTS build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later

To perform the update, customers can log into their devices as the admin user and go to “Control Panel → System → Firmware Update.”

Under the “Live Update” section, click the “Check for Update” option and wait for the download and installation to complete.

Alternatively, QNAP users may download the update from  after selecting the correct product type and model and applying it manually on their devices.

 has not marked CVE-2022-27596 as actively exploited in the wild.

However, due to the flaw’s severity, users are recommended to apply available security updates as soon as possible, as threat actors actively target QNAP vulnerabilities.

QNAP devices are already the target of ongoing ransomware campaigns known as  and , which are  to encrypt data on exposed NAS devices.