CVE-2022-27597

moderate-risk
Published 2023-03-29

A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later

Do I need to act?

-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.7/10 Low
NETWORK / LOW complexity

Affected Products (11)

Qvr
Qts
Qvp-41B Firmware
Qvp-63B Firmware
Qvp-85B Firmware
Qvp-21A Firmware
Qvp-41A Firmware
Qvp-63A Firmware
Qvp-85A Firmware

Affected Vendors

Qnap

References (2)

Vendor Advisory https://www.qnap.com/en/security-advisory/qsa-23-06
Vendor Advisory https://www.qnap.com/en/security-advisory/qsa-23-06
31
/ 100
moderate-risk
Severity 14/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 16/34 · Moderate