Morning y’all!
Yesterday was released a new CVE with a 9.8 critical score for QNAP devices.
https://nvd.nist.gov/vuln/detail/CVE-2022-27596
Hackers can exploit this SQL injection vulnerability (CVE-2022-27596) to inject malicious code into unpatched, Internet-exposed QNAP devices in simple attacks by unauthenticated malicious actors without user interaction.
QNAP recommends upgrading impacted devices (running QTS 5.0.1 and QuTS hero h5.0.1) to the latest versions (QTS 5.0.1.2234 build 20221201 or later and QuTS hero h5.0.1.2248 build 20221215 or later) to protect against attacks, but if you can’t update right now, disable port forwarding to that device and disable the UPnP function of the QNAP NAS.
As is not yet being exploited and no proof-of-concept exploit code was shared online, there's still time to patch these vulnerable NAS devices.
Besides updating ASAP, it's also recommended not to expose NAS devices online to prevent remote exploitation. QNAP has previously recommended disabling port forwarding, UPnP, SSH and Telnet connections, changing system port numbers, changing device passwords, and enabling IP and account access protection.
