CVE-2017-6361

CRITICAL EXPLOITED IN THE WILD

QNAP QTS < 4.2.4 - OS Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-6361 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Harry Sintonen.

AI-analyzed exploit summary The exploit demonstrates unauthenticated and authenticated remote command execution (RCE) vulnerabilities in QNAP QTS firmware via command injection in CGI binaries. It includes detailed examples of crafted HTTP requests to execute arbitrary commands as root.

Description

QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Harry Sintonen · textwebappscgi
https://www.exploit-db.com/exploits/41842

The exploit demonstrates unauthenticated and authenticated remote command execution (RCE) vulnerabilities in QNAP QTS firmware via command injection in CGI binaries. It includes detailed examples of crafted HTTP requests to execute arbitrary commands as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: QNAP QTS firmware versions 4.2.2 and 4.2.3
No auth needed
Prerequisites: Network access to the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97072
Mitigation, Vendor Advisory x_refsource_confirm
https://www.qnap.com/en/support/con_show.php?cid=113
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41842/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038091
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97059

Scores

CVSS v3 9.8
EPSS 0.5685
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2014-09-22
InTheWild.io 2018-07-01
CWE
CWE-78
Status published
Products (1)
qnap/qts < 4.2.4
Published Mar 23, 2017
Tracked Since Feb 18, 2026