PSA: Anyone using a QNAP NAS with nginx and php-fpm should probably update their firmware now. QNAP has released a security update that fixes the nginx vulnerability, the latest in a series of security issues the company has been facing since January.

- Advertisement -

Company NAS announced this week he fixed a vulnerability affecting PHP versions 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x and 7.3.11. Attackers can use it for remote execution on QNAP operating systems.

- Advertisement -

Affected OS versions include QTS 5.0 and 4.5, as well as QuTS hero h5.0, 4.5 and c5.0. QTS 5.0.1 build 20220515 and later and QuTS hero h5.0.0.2069 build 20220614 and later are safe. The exploit only works on systems with nginx, which is not installed on QNAP NAS systems by default.

- Advertisement -

To install the update, first log in to QTS, QuTS hero, or QuTScloud as an administrator. Then go to Control Panel > System > Firmware Update. Select Live Update > Check for updates. Users can also upload manually update from the QNAP website.

This issue is not related to Deadbolt ransomware attacks that hit QNAP NAS users over the past few months. The company has been criticized for forcing automatic updates through its complex, layered firmware system in response, resulting in unexpected data loss for some users.

QNAP discovered another Deadbolt campaign last week, but its latest firmware is not vulnerable.