Login Sign Up

CVE-2022-27588

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-27588 is a critical command injection vulnerability in QNAP QVR software that allows attackers to execute arbitrary commands on affected systems. This affects QNAP QVR installations before version 5.1.6 build 20220401. Attackers can potentially gain complete control of vulnerable systems.

💻 Affected Systems

Products:
  • QNAP QVR
Versions: All versions before QVR 5.1.6 build 20220401
Operating Systems: QTS, QuTS hero
Default Config Vulnerable: ⚠️ Yes
Notes: Affects QVR software running on QNAP NAS devices. QVR is video surveillance software often exposed for remote camera access.

📦 What is this software?

Qvr by Qnap

View all CVEs affecting Qvr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, install malware, pivot to other systems, and exfiltrate sensitive data.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data theft, or system takeover for cryptocurrency mining.

🟢

If Mitigated

Limited impact if systems are isolated, patched, or have strict network controls preventing external access.

🌐 Internet-Facing: HIGH - QVR systems are often exposed to the internet for remote access, making them prime targets for exploitation.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

This vulnerability has been actively exploited in the wild. Attackers can exploit it without authentication, making it particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QVR 5.1.6 build 20220401 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-22-07

Restart Required: Yes

Instructions:

1. Log into QNAP NAS admin interface. 2. Go to App Center. 3. Check for QVR updates. 4. Install QVR 5.1.6 build 20220401 or later. 5. Restart QVR service or the entire NAS.

🔧 Temporary Workarounds

Network Isolation

linux

Block external access to QVR ports and services

iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable QVR Service

linux

Temporarily disable QVR if not in critical use

/etc/init.d/qvr.sh stop
chkconfig qvr off

🧯 If You Can't Patch

  • Immediately isolate affected systems from the internet using firewall rules
  • Implement strict network segmentation to limit lateral movement potential

🔍 How to Verify

Check if Vulnerable:

Check QVR version in QNAP App Center or via SSH: cat /etc/qpkg.conf | grep QVR

Check Version:

cat /etc/qpkg.conf | grep QVR

Verify Fix Applied:

Verify QVR version is 5.1.6 build 20220401 or later in App Center

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Unexpected process creation from QVR service
  • Failed authentication attempts to QVR

Network Indicators:

  • Unusual outbound connections from QVR system
  • Traffic to known malicious IPs from QVR ports
  • Exploit kit traffic patterns

SIEM Query:

source="qnap_logs" AND (process="*sh*" OR cmd="*curl*" OR cmd="*wget*") AND user="qvr"

📊 Metadata

CVE ID: CVE-2022-27588
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: May 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27588, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)