"QNAP: Patch Critical Remote Code Injection Bug"

A leading Taiwanese hardware manufacturer is urging its customers to patch a critical vulnerability in devices running the QTS or QuTS hero firmware.  Network-attached storage (NAS) device maker QNAP stated that CVE-2022-27596 impacts QTS 5.0.1 and QuTS hero h5.0.1.  If exploited, this vulnerability allows remote attackers to inject malicious code.  QNAP is advising customers to upgrade their devices to QTS 5.0.1.2234 build 20221201 and later and QuTS hero h5.0.1.2248 build 20221215 and later.  In the National Vulnerability Database (NVD) entry, the flaw displays a CVSS Score of 9.8 and is described as an SQL injection vulnerability.  QNAP’s devices have become a popular target for threat actors over recent years.  QNAP customers are usually small businesses, schools, and home office users, whose security and patching may not always follow best practices.  Customers can download the update from the QNAP website via its Download Center or log in to their QTS or QuTS hero as an administrator.  

Infosecurity reports: "QNAP: Patch Critical Remote Code Injection Bug"