Tens of thousands of QNAP network-attached storage devices are exposed online and unpatched against a critical security flaw. Remote threat actors can exploit this SQL injection vulnerability to inject malicious code in attacks targeting Internet-exposed and unpatched QNAP devices. QNAP has assigned this bug a CVSS base score of 9.8/10 and says that it can be abused in low-complexity attacks by unauthenticated malicious actors without requiring any user interaction. To secure their devices, customers should upgrade to QTS 5.0.1.2234 build 20221201 or later and QuTS hero h5.0.1.2248 build 20221215 or later. Censys security researchers have reported that only 550 out of more than 60,000 QNAP NAS devices they found online were patched. QNAP customers should update their NAS device as soon as possible to protect against ransomware attacks. To ensure safety, customers should also disable the Port Forwarding function of the router, disable the UPnP function of the QNAP NAS, toggle off SSH and Telnet connections, change the system port number, change device passwords, and enable IP and account access protection.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 31 Jan 2023 23:15:03 +0000