"Over 29,000 QNAP Devices Unpatched Against New Critical Flaw"

Tens of thousands of QNAP Network-Attached Storage (NAS) devices are awaiting a patch for a recently addressed critical security vulnerability. This SQL injection vulnerability can be used by remote threat actors to inject malicious code in attacks against Internet-exposed and unpatched QNAP devices. The vulnerability, with a CVSS base score of 9.8/10, could be exploited in low-complexity attacks by unauthenticated actors without any user interaction. A day after QNAP provided security updates to address the vulnerability, Censys researchers published findings stating that a little more than 550 of over 60,000 QNAP NAS devices they discovered online had been patched. Censys observed 67,415 hosts showing signs of running a QNAP-based system, but was only able to obtain the version number for 30,520 hosts. Mark Ellzey, a security researcher, stated that over 98 percent of identified QNAP devices would be vulnerable to this attack if the advisory is accurate. They discovered that of 30,520 hosts having a version number, only 557 were running QuTS Hero greater than or equal to 'h5.0.1.2248' or QTS greater than or equal to '5.0.1.2234.' Therefore, 29,968 hosts could be impacted by the security flaw. This article continues to discuss the significant number of QNAP devices that remain unpatched against the recently addressed critical security flaw.

Bleeping Computer reports "Over 29,000 QNAP Devices Unpatched Against New Critical Flaw"