{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-005.pdf"
    },
    "title": "Critical Code Injection Vulnerability in QNAP Devices",
    "serial_number": "2023-005",
    "publish_date": "31-01-2023 16:55:00",
    "description": "On January 30th, 2023, QNAP published an advisory related to a critical vulnerability, identified as CVE-2022-27596, allowing remote attackers to inject malicious code on QNAP NAS devices.",
    "url_title": "2023-005",
    "content_markdown": "---\ntitle: 'Critical Code Injection Vulnerability in\u00a0QNAP Devices'\nversion: '1.0'\nnumber: '2023-005'\noriginal_date: 'January 30, 2023'\ndate: 'January 31, 2023'\n---\n\n_History:_\n\n* _31/01/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 30th, 2023, QNAP published an advisory [1] related to a critical vulnerability, identified as `CVE-2022-27596`, allowing remote attackers to inject malicious code on QNAP NAS devices.\n\n# Technical Details\n\nThe vulnerability `CVE-2022-27596`, with a CVSS score of 9.8 out of 10, is due to a SQL injection flaw that allows attackers to send specially crafted requests on vulnerable devices in order to trigger unexpected behaviours, and especially malicious code execution.\n\n# Affected Products\n\nThe vulnerability affects the following QNAP operating system versions:\n\n- QTS 5.0.1\n- QuTS hero h5.0.1\n\n# Recommendations\n\nCERT-EU recommends to follow the update procedure published by the QNAP team in its advisory [1].\n\n# References\n\n[1] <https://www.qnap.com/en/security-advisory/qsa-23-01>",
    "content_html": "<p><em>History:</em></p><ul><li><em>31/01/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 30th, 2023, QNAP published an advisory [1] related to a critical vulnerability, identified as <code>CVE-2022-27596</code>, allowing remote attackers to inject malicious code on QNAP NAS devices.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2022-27596</code>, with a CVSS score of 9.8 out of 10, is due to a SQL injection flaw that allows attackers to send specially crafted requests on vulnerable devices in order to trigger unexpected behaviours, and especially malicious code execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability affects the following QNAP operating system versions:</p><ul><li>QTS 5.0.1</li><li>QuTS hero h5.0.1</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends to follow the update procedure published by the QNAP team in its advisory [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qnap.com/en/security-advisory/qsa-23-01\">https://www.qnap.com/en/security-advisory/qsa-23-01</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}