CVE-2022-27596: QNAP Patches Critical Vulnerability in QNAP devices

Taiwanese network-attached storage (NAS) solutions provider QNAP Systems today announced patches for a critical vulnerability impacting some of its QNAP devices running QTS and QuTS hero.

QTS is the smart NAS OS that empowers your business and home life with file sharing, storage, backup, virtualization, multimedia, and more.

QNAP’s new “QuTS hero” operating system combines the app-based QTS with a 128-bit ZFS file system to provide flexible storage management, comprehensive data protection, and optimized performance to meet the needs of business-critical applications.

Tracked as CVE-2022-27596 (CVSS score: 9.8), the security hole could allow a remote attacker to inject malicious code on vulnerable devices, the company says in its advisory.

QNAP says QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1 are impacted and that the issue was addressed with the release of QTS 5.0.1.2234 build 20221201 and later, and QuTS hero h5.0.1.2248 build 20221215 and later. Credited with reporting the CVE-2022-27596 bug is security researcher huasheng_mangguo. The manufacturer encourages all users to update their systems to the latest release.

Updating QTS or QuTS hero

1. Log in to QTS or QuTS hero as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS or QuTS hero downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.