Over 67,000 NASes QNAP still haven’t received an update to the critical vulnerability that QNAP fixed this week.

SQL injection vulnerability CVE-2022-27596 (CVSS: 9.8) allows a remote unauthorized attacker to inject code into vulnerable QNAP devices available on the Internet. In this case, the hacker does not even need to interact with the user.

To protect against attacks, the company recommends that customers with vulnerable devices:

• running QTS 5.0.1 upgrade to QTS 5.0.1.2234 build 20221201 or later;
• running QuTS hero h5.0.1 upgrade to QuTS hero h5.0.1.2248 build 20221215 or later.

Although QNAP does not flag this vulnerability as actively exploited, customers are advised to update to the patched version as soon as possible because NASdevices are often targeted by ransomware, such as checkmate , Dead Bolt , ech0raix other.

One day after QNAP released fixes security researchers Censys declared that out of more than 68,000 QNAP NAS devices found on the network, only more than 550 were patched. According to their study, more than 98% of identified QNAP devices are vulnerable to this attack.

Vulnerable QNAP devices by country

In addition to updating the NAS device, the user must ensure that it is not available on the Internet for remote use. In addition to other protective measures, proposed by QNAP you need to disable the NAS management service port forwarding option (port 8080 and 433 by default), and disable the UPnP port forwarding feature.