Nearly 30,000 QNAP Devices Exposed Via New Bug

Written by

A critical new vulnerability disclosed by network-attached storage (NAS) vendor QNAP this week could be exploited on almost 30,000 devices globally, according to Censys.

The security firm scanned the internet to find 67,415 hosts running QNAP-based systems around the world. Although it could only find the version number on 30,250 of them, a worrying 98% were potentially vulnerable to an attack exploiting the new flaw.

Only a few hundred were running the updated firmware versions released by the Taiwanese vendor to remediate the bug, said Censys senior security researchers, Mark Ellzey.

“We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to ‘h5.0.1.2248’ or QTS greater than or equal to ‘5.0.1.2234,’ meaning 29,968 hosts could be affected by this vulnerability,” he warned.

“If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users. Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns.”

Most of the vulnerable hosts reside in the US (3149), followed by Italy (3200) and Taiwan (1942).

Details of the vulnerability in question, CVE-2022-27596, are being kept under wraps for now, presumably to give customers time to patch. However, it may not be long before threat actors look to weaponize it in exploits, Censys warned.

“We’ve discussed problems with QNAP regarding the Deadbolt ransomware campaigns, which at their height infected over 20,000 devices and successfully stole just under $200,000 from victims. While there are no indications that bad actors are using this new exploit, the threat is definitely on the horizon,” Ellzey argued.

“Given that the Deadbolt ransomware is geared to target QNAP NAS devices specifically, it’s very likely that if an exploit is made public, the same criminals will use it to spread the same ransomware again.”

The CVE appears to be an SQL injection vulnerability which is trivial to exploit and requires no authentication. It was given a CVSS score of 9.8.

What’s hot on Infosecurity Magazine?