Pierluigi Paganini February 02, 2023

Censys found 30,000 internet-facing QNAP appliances potentially impacted by a recently disclosed critical code injection flaw.

On January 30, Taiwanese vendor QNAP released QTS and QuTS firmware updates to address a critical vulnerability, tracked as CVE-2022-27596 (CVSS v3 score: 9.8), that affects QNAP NAS devices.

A remote attacker can exploit the vulnerability to inject malicious code on QNAP NAS devices. The flaw is easy to exploit without user interaction or privileges on the vulnerable device.

The flaw impacts QTS 5.0.1 and QuTS hero h5.0.1 versions.

“A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code.” reads the advisory published by the Taiwanese vendor.

The company fixed the vulnerability in the following operating system versions:

• QTS 5.0.1.2234 build 20221201 and later
• QuTS hero h5.0.1.2248 build 20221215 and later”

Cyber security firm Censys scanned the Internet for internet-exposed QNAP appliances and discovered 30,000 devices that are likely affected by the CVE-2022-27596 flaw because are running QTS 5.0.1 and QuTS hero h5.0.1 vulnerable versions.

Censys discovered 67,415 hosts allegedly running a QNAP-based system, but they were able to obtain the version number only from 30,520 hosts.

“But, if the advisory is correct, over 98% of identified QNAP devices would be vulnerable to this attack. We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to “h5.0.1.2248” or QTS greater than or equal to “5.0.1.2234”, meaning 29,968 hosts could be affected by this vulnerability.” reads the report published by Censys. “If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users. Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns.””

Most of the vulnerable hosts discovered by Censys are in Italy (3,200), followed by the US (3,149) and Taiwan (1,942).

Experts used the advisory (QSA-23-01) to determine vulnerable versions, and discovered that the Top Vulnerable versions are:

“while there are no indications that bad actors are using this new exploit, the threat is definitely on the horizon.” Censys concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)