Security Advisory 2023-005

Release Date:

Critical Code Injection Vulnerability in QNAP Devices



  • 31/01/2023 --- v1.0 -- Initial publication


On January 30th, 2023, QNAP published an advisory [1] related to a critical vulnerability, identified as CVE-2022-27596, allowing remote attackers to inject malicious code on QNAP NAS devices.

Technical Details

The vulnerability CVE-2022-27596, with a CVSS score of 9.8 out of 10, is due to a SQL injection flaw that allows attackers to send specially crafted requests on vulnerable devices in order to trigger unexpected behaviours, and especially malicious code execution.

Affected Products

The vulnerability affects the following QNAP operating system versions:

  • QTS 5.0.1
  • QuTS hero h5.0.1


CERT-EU recommends to follow the update procedure published by the QNAP team in its advisory [1].



We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.