Skip to content
The Forrester External Attack Surface Management Landscape Report | Download Now

CVE-2022-27596: The Next Ransomware Target?


January 31, 2023

UPDATE Feb 3rd, 2023

  • Today, QNAP has updated its advisory to correct the affected products. This update now states the following: “QTS 5.0.0, QTS 4.x.x, QuTS hero 5.0.0 and QuTS hero 4.5.x are not affected.” — this update drastically changes the outcomes of this report, as most of the devices we observed were running version 5.0.0 and version 4.3.3, both of which have now been made clear and are not vulnerable to this attack.
  • This post initially used the NVD advisory via NIST and the JSON-encoded attachment from QNAP as a source of truth, which contained details about the affected versions that explicitly stated versions less than “h5.0.1.2248 build 20221215” and less than “ build 20221201” were affected. With this new wording from QNAP, the exposure is less extreme. It narrows down the number of affected versions to a tiny number.
  • The official NIST NVD CVE has yet to be updated with this new information; as of February 3rd, 2023, it is still showing the incorrect software configurations:
  • We are working on processing this new data and will continue to update this post.

Data as of February 3rd, 2023

On January 30th, 2023, information emerged about a new vulnerability that targets QNAP devices. Although there is little information about the vulnerability details, we know that it affects QNAP QTS devices running versions 5.0.1, up to, but not including, and QuTS Hero versions “h5.0.1”, up to, but not including “h5.0.1.2248” and was fixed with QTS version and QuTS Hero h5.0.1.2248. This is currently tracked as CVE-2022-27596.

Note: as of February 03, 2022, NVD is still reporting the wrong software configuration values for vulnerable versions of this firmware.

We also know that if the exploitation is successful, an attacker can “inject malicious code”; QNAP has deemed this a critical vulnerability with a low attack complexity, no authentication required, and it can be exploited remotely. We also know that the Common Weakness Enumerator (CWE) it was assigned is “CWE-89”: Improper Neutralization of Special Elements used in an SQL Command (or SQL injection).

Now that the majority of the original data for this post is outdated, given the updates to the advisory, we have created a more general outline of QNAP devices and their versions we have observed on the internet. With this update from QNAP, we learned that only QTS version 5.0.1 and QuTS Hero version h5.0.1 are affected. The good news is that no hosts are exposed on the internet running these firmware versions.

Our latest data shows that 61,597 hosts are running a QNAP device, and we successfully obtained the running firmware version from 32,765 of those.

Top 10 Countries Running QNAP

Country QNAP Host Count
Italy 3,500
United States 3,264
Germany 2,444
Taiwan 2,352
Japan 1,749
France 1,586
Hong Kong 1,444
South Korea 1,317
United Kingdom 1,228
China 1,087

Top 10 Autonomous Systems

Autonomous System QNAP Host Count
HINET Data Communication 1,771
DTAG Internet 1,285
COMCAST-7922 884
HKTIMS-AP HKT Limited 581
TNF-AS 555
France Telecom – Orange 554

Top 10 QNAP Firmware Versions

QNAP Firmware Version Host Count
5.0.0 7,882
4.3.3 7,566
4.3.6 5,172
4.3.4 4,529
4.2.6 1,632
4.5.2 957
4.5.1 869
4.4.3 773
4.4.1 746
4.3.5 732

What we know:

  • It is a SQL injection vulnerability
  • Trivial to exploit
  • It does not require authentication

We’ve discussed problems with QNAP regarding the Deadbolt Ransomware campaigns, which at their height had infected over 20,000 devices and successfully stolen just under $200,000 from victims. And while there are no indications that bad actors are using this new exploit, the threat is definitely on the horizon.

Given that the Deadbolt ransomware is geared to target QNAP NAS devices specifically, it’s very likely that if an exploit is made public, the same criminals will use it to spread the same ransomware again.

Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts. But, if the advisory is correct (Update Feb 3rd, 2023: it wasn’t), over 98% of identified QNAP devices would be vulnerable to this attack. We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to “h5.0.1.2248” or QTS greater than or equal to “”, meaning 29,968 hosts could be affected by this vulnerability.

What can be done?

About the Author
Mark Ellzey
Senior Security Researcher All posts by Mark Ellzey
Mark Ellzey is a Senior Security Researcher at Censys. Before his current role, Mark has worked as both a network security engineer and software developer for several internet service providers and financial institutions for over 22 years.
Attack Surface Management Solutions
Learn more