Description
cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, and in the Surveillance Station Pro component in QNAP NAS, allows remote authenticated users to execute arbitrary commands by leveraging guest access and placing shell metacharacters in the query string.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Tim Herres · textwebappscgi
https://www.exploit-db.com/exploits/38550
References (1)
Core 1
Core References
US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/927644
Scores
EPSS
0.0718
EPSS Percentile
91.6%
Details
CWE
CWE-94
Status
published
Products (4)
qnap/nas
qnap/surveillance_station_pro
qnap/viostor_network_video_recorder
4.0.3
qnap/viostor_network_video_recorder
Published
Jun 07, 2013
Tracked Since
Feb 18, 2026