CVE-2017-7876

CRITICAL EXPLOITED IN THE WILD

QTS < 4.2.6 - OS Command Injection

Title source: llm

Exploitation Summary

CVE-2017-7876 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. QNAP have already fixed the issue in QTS 4.2.6 build 20170517, QTS 4.3.3.0174 build 20170503 and later versions.

References (3)

Core 3

Core References

Various Sources x_refsource_misc

https://www.qnap.com/en/release-notes/qts/4.3.3.0174/20170503

Various Sources x_refsource_misc

https://www.qnap.com/en/release-notes/qts/4.2.6/20170517

Various Sources x_refsource_misc

https://www.qnap.com/zh-tw/security-advisory/nas-201707-12

Scores

CVSS v3 10.0

EPSS 0.0671

EPSS Percentile 91.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-18

InTheWild.io 2024-09-18

CWE

CWE-77

Status published

Products (1)

qnap/qts < 4.2.6

Published Jun 15, 2017

Tracked Since Feb 18, 2026