Cyber Resilience

CVE-2022-27596

Critical

Published: 30 January 2023

Published
30 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2086 95.8th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-27596 is a critical-severity SQL Injection (CWE-89) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-27596 is a SQL injection vulnerability (CWE-89) affecting QNAP devices running QuTS hero and QTS. Successful exploitation permits remote attackers to inject malicious code, with the flaw carrying a CVSS 3.1 base score of 9.8 reflecting network-accessible attack vectors that require no authentication or user interaction.

Unauthenticated remote attackers can exploit the issue over the network to obtain full control over confidentiality, integrity, and availability of the affected device. The published description indicates that arbitrary malicious code can be injected, enabling outcomes consistent with the high-impact CVSS metrics.

QNAP security advisory QSA-23-01 states that the vulnerability has been addressed in QuTS hero h5.0.1.2248 build 20221215 and later as well as QTS 5.0.1.2234 build 20221201 and later. The current EPSS score of 0.2086, with a nearly identical peak of 0.2095, shows no material post-disclosure rise that would indicate emerging exploitation interest.

EU & UK References

Vulnerability details

A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero…

more

h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
5.0.1 — 5.0.1.2234
qnap
quts hero
h5.0.1 — h5.0.1.2248

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References