CVE-2017-6359

CRITICAL

QNAP QTS < 4.2.4 - OS Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-6359. PoCs published by Harry Sintonen.

AI-analyzed exploit summary The exploit demonstrates unauthenticated and authenticated remote command execution (RCE) vulnerabilities in QNAP QTS firmware via command injection in CGI binaries. It includes detailed examples of crafted HTTP requests to execute arbitrary commands as root.

Description

QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Harry Sintonen · textwebappscgi

https://www.exploit-db.com/exploits/41842

View Code ZIP pw:eip

The exploit demonstrates unauthenticated and authenticated remote command execution (RCE) vulnerabilities in QNAP QTS firmware via command injection in CGI binaries. It includes detailed examples of crafted HTTP requests to execute arbitrary commands as root.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: QNAP QTS firmware versions 4.2.2 and 4.2.3

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK