- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
QNAP: Patch Critical Remote Code Injection Bug
A leading Taiwanese hardware manufacturer is urging its customers to patch a critical vulnerability in devices running the QTS or QuTS hero firmware.
Network-attached storage (NAS) device maker QNAP said in the advisory yesterday that CVE-2022-27596 impacts QTS 5.0.1 and QuTS hero h5.0.1.
“If exploited, this vulnerability allows remote attackers to inject malicious code,” it warned in the brief advisory.
The vendor advised customers to upgrade their devices to:
- QTS 5.0.1.2234 build 20221201 and later
- QuTS hero h5.0.1.2248 build 20221215 and later
More detail can be found in the National Vulnerability Database (NVD) entry for the flaw, which displays a CVSS score of 9.8 and describes it as an SQL injection vulnerability.
Customers would be wise to follow QNAP’s advice, given that its devices have become a popular target for threat actors over recent years.
In fact, its NAS devices were targeted by the Deadbolt ransomware variant throughout most of 2022. During that campaign, it’s believed the group exploited a zero-day vulnerability in QNAP firmware to encrypt and extort customers around the globe. It also tried to hold QNAP to ransom by charging the vendor over $1m for the master decryption key and more details on the bug.
QNAP customers are usually small businesses, schools, home office users and similar whose security and patching may not always follow best practices.
Customers can download the update from the QNAP website, via its Download Center, or log-in to their QTS or QuTS hero as an administrator, visit Control Panel > System > Firmware and then “Check for Update” under “Live Update.”