Taiwanese firm QNAP has launched updates to remediate a vital safety flaw affecting its network-attached storage (NAS) gadgets that might result in arbitrary code injection.
Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a most of 10 on the CVSS scoring scale. It impacts QTS 5.0.1 and QuTS hero h5.0.1.
“If exploited, this vulnerability permits distant attackers to inject malicious code,” QNAP stated in an advisory launched Monday.
The precise technical specifics surrounding the flaw are unclear, however the NIST National Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability.
This means an attacker might ship specifically crafted SQL queries such that they might be weaponized to bypass safety controls and entry or alter useful data.
“Just as it could be doable to learn delicate data, it is usually doable to make modifications and even delete this data with a SQL injection assault,” based on MITRE.
The vulnerability has been addressed in variations QTS 5.0.1.2234 construct 20221201 and later, in addition to QuTS hero h5.0.1.2248 construct 20221215 and later.
Zero-day vulnerabilities in uncovered QNAP home equipment have been put to make use of by DeadBolt ransomware actors to breach goal networks, making it important to replace to the most recent model so as to mitigate potential threats.
To apply the updates, customers are suggested to log in to QTS or QuTS hero as an administrator, navigate to Control Panel > System > Firmware Update, and choose “Check for Update” below the “Live Update” part.