A top Taiwanese components maker is urging its shoppers to patch a critical vulnerability in units running the QTS or QuTS hero firmware.
Network-connected storage (NAS) product maker QNAP said in the advisory yesterday that CVE-2022-27596 impacts QTS 5..1 and QuTS hero h5..1.
“If exploited, this vulnerability permits remote attackers to inject destructive code,” it warned in the quick advisory.
The vendor advised consumers to improve their units to:
- QTS 5..1.2234 build 20221201 and afterwards
- QuTS hero h5..1.2248 create 20221215 and later on
Additional element can be discovered in the National Vulnerability Database (NVD) entry for the flaw, which shows a CVSS rating of 9.8 and describes it as an SQL injection vulnerability.
Consumers would be intelligent to abide by QNAP’s guidance, given that its equipment have come to be a well-liked concentrate on for risk actors over latest a long time.
In simple fact, its NAS devices were being focused by the Deadbolt ransomware variant all over most of 2022. In the course of that campaign, it is believed the team exploited a zero-day vulnerability in QNAP firmware to encrypt and extort clients all around the globe. It also tried to maintain QNAP to ransom by charging the vendor above $1m for the grasp decryption critical and extra details on the bug.
QNAP prospects are normally tiny companies, faculties, house office environment end users and comparable whose security and patching might not often stick to finest methods.
Shoppers can download the update from the QNAP web site, by way of its Down load Center, or log-in to their QTS or QuTS hero as an administrator, stop by Regulate Panel > Technique > Firmware and then “Check for Update” beneath “Live Update.”
Some parts of this article are sourced from:
www.infosecurity-journal.com