This week, the NAS company revealed that it has fixed a vulnerability affecting PHP versions 7.1.x, 7.1.33, 7.2.24, and 7.3.11. Attackers may exploit it in order to get remote execution on QNAP operating systems.
QTS 5.0.1 build 20220515 and later as well as QuTS hero h126.96.36.1999 build 20220614 and later are safe. The exploit only works in QNAP NAS systems that do not have installed by default.
First, go to QTS, QuTS hero, or QuTScloud as administrator. Finally, select Control Panel > System > Firmware Update. Select Live Update > Check for Update. QNAP''s website may also offer the update manually.
This problem isn''t related to the runsomware breaches committed by Deadbolt, which have affected QNAP NAS users in the last several months. The company has been caught some flak for using auto-updates through its complex multi-layered firmware system in response, which has resulted in unexpected data loss for some users.
Last week, QNAP discovered another Deadbolt campaign, but its latest firmware isn''t quite safeguarded.