Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter
Analysts find that 98% of QNAP NAS are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.
QNAP makes network-attached storage systems whose firmware, web interfaces, and services can expose files and devices when vulnerabilities are exploited.
Search across headline titles and summaries.
Background for this topic.
QNAP produces network-attached storage (NAS) systems: network-connected appliances that store and share files, run backups, and may host applications such as remote-access services. Their operating systems and web administration interfaces make them security-relevant infrastructure, not merely passive storage. A compromised device can expose stored data, user credentials, or connected services, while malware can encrypt or delete accessible files.
Key risks include vulnerabilities in the NAS operating system or bundled applications, exposed administration interfaces, and weak or reused account passwords. Security management should include monitoring QNAP advisories, promptly applying firmware and application updates, disabling internet-facing administration and unneeded services, enforcing multifactor authentication where available, and limiting permissions. Backups should be isolated from the NAS account and tested for recovery; otherwise an attacker who gains administrative access may also compromise the backup copies. Logs and access alerts can help identify unauthorized use and support containment.
Analysts find that 98% of QNAP NAS are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.
Vulnerability could be exploited by ransomware groups
Tens of thousands of QNAP network-attached storage (NAS) devices exposed online are waiting to be patched against a critical security flaw addressed by the Taiwanese company on Monday. [...]
Tens of thousands of QNAP network-attached storage (NAS) devices exposed online are waiting to be patched against a critical security flaw addressed by the Taiwanese company on Monday. [...]
Vulnerability affects QTS and QuTS Hero firmware
Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection
QNAP is warning customers to install QTS and QuTS firmware updates that fix a critical security vulnerability allowing remote attackers to inject malicious code on QNAP NAS devices. [...]