CVE-2022-27596: QNAP NAS Devices Vulnerable to Critical SQL Injection Vulnerability

Share :

On 30 January 2023, QNAP Systems Inc. disclosed a new critical vulnerability that could allow remote attackers to inject malicious code on QNAP NAS devices that were exposed to the internet. QNAP has stated that the vulnerability is a SQL Injection flaw being tracked as CVE-2022-27596 and can be abused in low-complexity attacks by unauthenticated malicious remote threat actors without requiring user interaction. 

QNAP states that organisations running QTS 5.0.1 and QuTS hero h5.0.1 are impacted by CVE-2022-27596 and should upgrade to a patched build version as soon as possible to secure themselves from potential attacks. 

This vulnerability has not been actively exploited in campaigns and there is no PoC exploit code or technical details available on the vulnerability as of January 31, 2023. However, according to CISA’s Known Exploited Vulnerabilities Catalog, threat actors have leveraged vulnerabilities in QNAP NAS products historically in ransomware campaigns.  

While Arctic Wolf is not aware of the active exploitation of CVE-2022-27596 at this time, we are still strongly recommending that all organisations running the affected products upgrade to a fixed version as soon as possible. 

Recommendation for CVE-2022-27596

This section provides details on the recommendations that have been provided by QNAP to patch impacted devices for CVE-2022-27596. 

Update QNAP NAS Appliances 

QNAP has fixed this vulnerability in the following operating system versions: 

  • QTS 5.0.1.2234 build 20221201 and later 
  • QuTS hero h5.0.1.2248 build 20221215 and later 

Details on how to install these patched versions on your device can be found on QNAP’s Security Advisory. 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories