QNAP Security Updates To Patch The Zero-day Vulnerability In QTS 5.0.1 And QuTS hero h5.0.1 Devices

Qnap Systems, Inc., a Taiwan-based computer manufacturer specializing in network storage solutions for individuals and businesses, has released its latest security update covering a critical vulnerability that could lead to arbitrary code injection in its network-attached storage (NAS) devices.

The vulnerability affects QTS 5.0.1 and QuTS hero h5.0.1 devices, especially QTS 5.0.1.2234 build 20221201 and later, and QuTS hero h5.0.1.2248 build 20221215 and later. It is referenced as CVE-2022-27596 and rated 9.8/10 on the CVSS scoring scale.

As it is a Zero-day vulnerability, the exact technical specifics surrounding the flaw are unclear. Still, the NIST National Vulnerability Database (NVD) and Mitter have categorized it as an SQL injection vulnerability, and Qnap declared in an advisory released on 30th January that If it is exploited, it allows remote attackers to inject malicious code.

This vulnerability can read, change, or even delete sensitive information with a SQL injection attack, as it can be used by DeadBolt ransomware actors to breach target networks.

To mitigate these threats, users are strongly recommended to apply appliance firmware updates by logging in to QTS or QuTS hero as an administrator, and clicking "Check for Update" under the "Live Update" section in "Control Panel" > "System" > "Firmware Update Tab".