QNAP has issued an urgent patch to users of its network attached storage solutions, rating a newly reported flaw as “critical.”
The Taiwan-based tech giant deals with storage, networking and smart video innovations. It is a leader in network attached storage (NAS) and professional network video recorder (NVR) solutions.
The popularity of its NAS products hasn’t been overlooked by hackers. QNAP NAS users have been hot targets for ransomware operators in recent years, prompting the vendor to issue several urgent patches and advisories, as well as extend support for end-of-life products.
This week, the company has rolled out yet another urgent fix for what is said to be an SQL injection flaw affecting NAS units running the QTS and QuTS hero operating systems.
The bug, tracked as CVE-2022-27596 and rated “critical,” affects QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1, according to the advisory.
“If exploited, this vulnerability allows remote attackers to inject malicious code,” QNAP says.
According to NIST, the flaw paves the way for exploiting QNAP hardware via SQL injection – a common attack vector hackers use to access information otherwise not intended for display.
QNAP says it has fixed this vulnerability in QTS 5.0.1.2234 build 20221201 and later, and QuTS hero h5.0.1.2248 build 20221215 and later.
If you own a QNAP NAS unit, apply this patch as soon as possible. To do so, log into your device as admin and go to Control Panel -> System -> Firmware Update. Under Live Update, click Check for Update. At this point, your device should download and install the latest version available.
Alternately, you can download the update manually from QNAP by visiting Support -> Download Center.