Description
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
References (1)
Core 1
Core References
Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-23-47
Scores
CVSS v3
9.0
EPSS
0.0018
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-77
Status
published
Products (45)
qnap/qts
4.5.4.1715 build_20210630
qnap/qts
4.5.4.1723 build_20210708
qnap/qts
4.5.4.1741 build_20210726
qnap/qts
4.5.4.1787 build_20210910
qnap/qts
4.5.4.1800 build_20210923
qnap/qts
4.5.4.1892 build_20211223
qnap/qts
4.5.4.1931 build_20220128
qnap/qts
4.5.4.2012 build_20220419
qnap/qts
4.5.4.2117 build_20220802
qnap/qts
4.5.4.2280 build_20230112
... and 35 more
Published
Feb 02, 2024
Tracked Since
Feb 18, 2026