80,000 QNAP devices worldwide are vulnerable due to zero-day vulnerabilities, impacting performance and security. Read for details and urgent fix updates...

Continue reading
Researchers at Sternum have discovered a pair of zero-day vulnerabilities in Quality Network Appliance Provider (QNAP) operating systems that impact an estimated 80,000 devices globally. While two of the four affected OSes remain unpatched, the memory access violations are fixed in QTS version 5.0.1.2346 build 20230322 and QuTS hero version h5.0.1.2348 build 20230324. QNAP is "urgently fixing" the remaining flaws. The CVE-2022-27597 and CVE-2022-27598 vulnerabilities impact the QTS, QuTS hero, QuTScloud, and QVP OS, and could cause unstable code and provide a path for a cybercriminal to execute arbitrary code.
According to Sternum, memory access violations could affect the performance and security of QNAP devices. Amit Serper, Sternum's director of security research, explains that these vulnerabilities could lead to stability issues and unpredictable code behavior from a performance perspective. From a security perspective, the flaws could enable malicious threat actors to execute arbitrary code.
The QNAP security advisory adds that "if exploited, the vulnerability allows remote authenticated users to get secret values." While the bugs are rated "low severity," getting a patch in place is crucial since QNAP users remain a favorite target among cybercriminals.
The DeadBolt ransomware group exploited several zero-day vulnerabilities in QNAP devices in 2022, in a series of cyberattacks. The group has been actively seeking and exploiting QNAP flaws, preferably critical zero-days. Mark Parkin, senior technical engineer with Vulcan Cyber, explains that attackers often look for more vulnerabilities once they find one in a target. He also wonders if attackers have access to QNAP source code or some other inside track.
Organizations must ensure their highly targeted QNAP systems are up to date, especially since new vulnerabilities continue to surface regularly. In February, users of QNAP QTS OS were alerted to a critical SQL injection issue with a CVSS score of 9.8. Users with systems without a patch available should employ a strong endpoint detection and response (EDR) solution and look for indicators of compromise.
Furthermore, since cyberattackers need to be authenticated, conducting an audit of who has access to vulnerable systems and providing additional authentication protection could help mitigate an attack. Bud Broomhead, CEO of Viakoo, warns that even when patches are available, companies may need to shift their mindset to truly lock down QNAP appliances. QNAP devices, like many other IoT devices, are often managed outside of IT, misconfigured, left unprotected by firewalls, and unpatched. Corporate IT and security teams may not be aware of these devices, and they may not get audited or observed when they fall out of compliance, such as by using out-of-date and insecure firmware.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.