CVE-2022-27596
Published: 30 January 2023
Summary
CVE-2022-27596 is a critical-severity SQL Injection (CWE-89) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-27596 is a SQL injection vulnerability (CWE-89) affecting QNAP devices running QuTS hero and QTS. Successful exploitation permits remote attackers to inject malicious code, with the flaw carrying a CVSS 3.1 base score of 9.8 reflecting network-accessible attack vectors that require no authentication or user interaction.
Unauthenticated remote attackers can exploit the issue over the network to obtain full control over confidentiality, integrity, and availability of the affected device. The published description indicates that arbitrary malicious code can be injected, enabling outcomes consistent with the high-impact CVSS metrics.
QNAP security advisory QSA-23-01 states that the vulnerability has been addressed in QuTS hero h5.0.1.2248 build 20221215 and later as well as QTS 5.0.1.2234 build 20221201 and later. The current EPSS score of 0.2086, with a nearly identical peak of 0.2095, shows no material post-disclosure rise that would indicate emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32097
Vulnerability details
A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero…
more
h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.