A captious information vulnerability successful QNAP's QTS operating strategy for network-attached retention (NAS) devices could let cyberattackers to inject malicious codification into devices remotely, with nary authentication required.
According to researchers from information steadfast Censys, much than 30,000 hosts are moving a susceptible mentation of the QNAP-based strategy arsenic of property time, meaning that astir 98% of these devices could beryllium attacked.
The contented (CVE-2022-27596) is simply a SQL injection occupation that affects QNAP QTS devices moving versions beneath 18.104.22.1684, and QuTS Hero versions beneath h22.214.171.1248. It carries a people of 9.8 retired of 10 connected the CVSS vulnerability-severity scale.
In its advisory this week, QNAP said the bug has a debased onslaught complexity, which, erstwhile combined with the popularity of QNAP NAS arsenic a people for Deadbolt ransomware and different threats, could marque for imminent exploitation successful the wild. And unfortunately, according to Censys, it's a target-rich situation retired there.
"Censys has observed 67,415 hosts with indications of moving a QNAP-based system; unfortunately, we could lone get the mentation fig from 30,520 hosts," the steadfast explained successful a blog post connected Feb. 1. "We recovered that of the 30,520 hosts with a version, lone 557 were moving [patched versions], meaning 29,968 hosts could beryllium affected by this vulnerability."
To support themselves, companies should upgrade their devices to QTS mentation 126.96.36.1994 and QuTS Hero h188.8.131.528.
"If the exploit is published and weaponized, it could spell occupation to thousands of QNAP users," Censys researchers warned. "Everyone indispensable upgrade their QNAP devices instantly to beryllium harmless from aboriginal ransomware campaigns."