CVE-2017-6360

CRITICAL EXPLOITED

QNAP QTS < 4.2.4 - OS Command Injection

Title source: llm

Exploitation Summary

CVE-2017-6360 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Harry Sintonen.

AI-analyzed exploit summary The exploit demonstrates unauthenticated and authenticated remote command execution (RCE) vulnerabilities in QNAP QTS firmware via command injection in CGI binaries. It includes detailed examples of crafted HTTP requests to execute arbitrary commands as root.

Description

QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Harry Sintonen · textwebappscgi

https://www.exploit-db.com/exploits/41842

View Code ZIP pw:eip

The exploit demonstrates unauthenticated and authenticated remote command execution (RCE) vulnerabilities in QNAP QTS firmware via command injection in CGI binaries. It includes detailed examples of crafted HTTP requests to execute arbitrary commands as root.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: QNAP QTS firmware versions 4.2.2 and 4.2.3

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK