Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Fix CVE-2022-27596- A Code Injection Vulnerability in QNAP NAS Devices That Lead to RCE Attack?
February 2, 2023

How to Fix CVE-2022-27596- A Code Injection Vulnerability in QNAP NAS Devices That Lead to RCE Attack?

How To Fix Cve 2022 27596 A Code Injection Vulnerability In Qnap Nas Devices That Lead To Rce Attack

The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 30th June 2023 in which QNAP announced a critical code injection vulnerability in QNAP NAS devices. The vulnerability tracked under this identifier CVE-2022-27596 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. Technical details behind the flaw are not confirmed yet. Since this flaw allows an attacker to carry out remote code execution attacks just by sending crafted SQL queries, it is most important to fix the CVE-2022-27596 vulnerability. Let’s see how to fix CVE-2022-27596, a Code Injection vulnerability in QNAP NAS devices that lead to an RCE attack.

A Short Introduction About QNAP NAS

QNAP NAS, a familiar name in the world of network-attached storage, is the go-to choice for those seeking dependability and versatility. Whether you’re a home user seeking to store precious memories or a business owner looking for robust storage solutions, QNAP has got you covered. Boasting a diverse lineup of models, from basic to top-of-the-line, QNAP offers options to meet every need. But that’s not all. This storage giant also supports a multitude of protocols, making it a flexible and efficient storage solution for a variety of use cases – personal and professional alike.

QTS 5.x and QuTS hero h5..x:

Step into the future of data management with QTS 5.x- the cutting-edge operating system from QNAP Systems Inc. Designed for their NAS devices, QTS 5.x boasts a user-friendly interface and a vast array of applications to aid in the management, protection, and sharing of digital assets. This futuristic operating system packs in advanced features such as virtualization, containerization, and disaster recovery – ensuring data security and a seamless storage experience for all users.

For businesses seeking maximum value from their data, there’s QuTS hero h5.x – a high-performance version of QTS 5.x optimized for the QuTS hero series NAS devices. This powerhouse OS combines the best of QTS 5.x with innovative hardware and a unique data management architecture, delivering exceptional performance, reliability, and scalability. QuTS hero h5.x comes equipped with advanced storage features, including storage pooling, data backup and recovery, and disaster recovery solutions, making it the ultimate choice for businesses that demand the very best in data management solutions.

Summary of CVE-2022-27596

This is a critical severity Code Injection vulnerability in QNAP NAS operating systems which as got a CVSS score of 9.8 out of 10 on the scale. The successful exploitation of this code injection vulnerability would allow a remote attacker to perform arbitrary code execution attacks. As per the advisory published by QNAP, this flaw could be exploitable just by sending crafted SQL queries. Attackers could abuse this vulnerability to bypass security controls, unauthorized access or sometimes alter valuable information on the vulnerable versions of QNAP NAS operating systems. 

Associated CVE IDCVE-2019-27596
DescriptionA Code Injection Vulnerability in QNAP NAS Devices that Lead to RCE Attack
Associated ZDI ID
CVSS Score9.8 Critical
Impact Score5.9
Exploitability Score3.9
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
Confidentiality (C)High
Integrity (I)High
availability (a)High

QNAP NAS OS Vulnerable to CVE-2022-27596:

This flaw affects all the QNAP devices runs on QTS 5.0.1 and QuTS hero h5.0.1.

  • QTS 5.0.1

  • QuTS hero h5.0.1.

How to Fix  CVE-2022-27596- A Code Injection Vulnerability in QNAP NAS Devices That Lead to RCE Attack?

Well, the vendor has released the patch to fix the CVE-2022-27596, a critical Code Injection vulnerability. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version.

  • QTS build 20221201 and later

  • QuTS hero h5.0.1.2248 build 20221215 and later

Follow This Procedure To upgrade QNAP NAS QTS, QuTS Hero, OR QuTScloud From The Console:

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.

  2. Go to Control Panel > System Firmware Update.

  3. Under Live Update, click Check for Update

QTS, QuTS hero, or QuTScloud downloads and installs the latest available update by themselves.


Follow this procedure to upgrade QNAP from the software center:

  1. Go to Support > Download Center to download the update from the QNAP website.

  2. Perform a manual update for your specific device.

This simple procedure completes the upgradation procedure.

We hope this post would help you know how to fix CVE-2022-27596, a Code Injection vulnerability in QNAP NAS devices that lead to an RCE attack. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription