CVE-2020-36195

CRITICAL EXPLOITED RANSOMWARE

QNAP QTS - SQL Injection via Multimedia Console or Media Streaming Add-on

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-36195 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns.

Description

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://www.qnap.com/en/security-advisory/qsa-21-11

Scores

CVSS v3 9.8
EPSS 0.0176
EPSS Percentile 75.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-07-28
Ransomware Use Confirmed
CWE
CWE-943 CWE-20 CWE-89
Status published
Products (50)
qnap/media_streaming_add-on < 430.1.8.10
qnap/multimedia_console < 1.3.4
qnap/qts 4.3.3
qnap/qts 4.3.3.0095
qnap/qts 4.3.3.0096
qnap/qts 4.3.3.0136
qnap/qts 4.3.3.0154
qnap/qts 4.3.3.0174
qnap/qts 4.3.3.0188
qnap/qts 4.3.3.0210
... and 40 more
Published Apr 17, 2021
Tracked Since Feb 18, 2026