QNAP Zero-Days Leave 80K Devices Vulnerable to Cyberattack

Multiple QNAP operating systems are affected, including QTS, QuTS hero, QuTScloud, and QVP Pro appliances, and some dont yet have patches available.

A pair of zero-day vulnerabilities in several Quality Network Appliance Provider (QNAP) operating systems (OS) for network-attached storage (NAS) appliances are impacting an estimated 80,000 devices worldwide. They remain unpatched for two of the four affected OSes.
QNAP provides gear and software for Internet of Things (IoT) storage, networking, and smart video. The OS bugs, discovered by researchers at Sternum, are memory access violations, which could cause unstable code and could provide a path for an authenticated cybercriminal to execute arbitrary code.
The vulnerabilities, tracked under CVE-2022-27597 and CVE-2022-27598, impact the QTS, QuTS hero, QuTScloud, and QVP OS,
according to Sternum
, and have been fixed in QTS version 5.0.1.2346 build 20230322 (and later) and QuTS hero version h5.0.1.2348 build 20230324 (and later). The QuTScloud and QVP OS remain unpatched, but QNAP said that it is urgently fixing the flaws.
Sternum researchers explain the memory access violations affect the performance, as well as the security of the QNAP devices.
From a performance point of view, they could lead to stability issues and unpredictable code behavior, Sternums director of security of research Amit Serper says. From a security perspective, they can be used for arbitrary code execution by a malicious threat actor.
The
QNAP security advisory
adds, If exploited, the vulnerability allows remote authenticated users to get secret values.
While the bugs are rated low severity, and so far, Sternums researchers have not seen them exploited in the wild, getting a patch in place quickly matters —
QNAP users
continue to be a favorite target among cybercriminals.
The
DeadBolt ransomware group
in particular was seen exploiting a range of zero-day vulnerabilities in a series of
wide-rangingcybercampaigns against QNAP
users in 2022 alone,
surfacing regularly in May
, June, and September.
DeadBolt is clearly dead set, as it were, on putting effort into finding — and exploiting — QNAP flaws, preferably critical zero-days, according to Mark Parkin, senior technical engineer with Vulcan Cyber.
Its sometimes said that finding one vulnerability in a target will lead people into looking for more, Parkin explains. The issue here is that they are finding more as they look. It almost makes you wonder if the attackers dont have access to the source code, or some other way to get an inside track.
Collusion suspicions aside, its up to organizations to make sure their highly targeted QNAP systems are up to date, especially given that new bugs are coming to light with some frequency. In addition to the most recent findings from Sternum, in February, users of
QNAP QTS OS
were alerted to a critical SQL injection issue with a CVSS score of 9.8. The disclosures just widen the attack surface further.
In the case of the most recent vulnerabilities, users with systems without a patch available should employ a strong endpoint detection and response (EDR) solution and look for indicators of compromise. Because cyberattackers would need to be authenticated, doing an audit of who has access to vulnerable systems and providing additional authentication protection could also help mitigate an attack.
One researcher warns that even in cases where patches are available, truly locking down the appliances might require a shift in mindset for some companies.
QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money, Bud Broomhead, CEO of Viakoo says. Because QNAP devices, along with many other IoT devices, are largely managed outside of IT, they are often misconfigured, left unprotected by a firewalls, and left unpatched.
He adds, These devices often are invisible to corporate IT and security teams and do not get audited or observed when they fall out of compliance, such as by being on out-of-date and insecure firmware.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
QNAP Zero-Days Leave 80K Devices Vulnerable to Cyberattack