CVE-2023-47218

MEDIUM EXPLOITED IN THE WILD NUCLEI

QNAP QTS 5.1.0-5.1.5.2645 and QuTS hero h5.1.0-h5.1.5.2647 and QuTScloud c5.0.0.1919-c5.1.5.2651 - OS Command Injection

Title source: llm

Exploitation Summary

CVE-2023-47218 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including passwa11, sfewer-r7, Spencer McIntyre, jheysel-r7, including a Metasploit module exploits/linux/http/qnap_qts_rce_cve_2023_47218. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-47218, an unauthenticated command injection vulnerability in QNAP QTS and QuTS Hero. The exploit leverages a crafted multipart/form-data request to execute arbitrary commands on the target system.

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Exploits (2)

nomisec WORKING POC

by passwa11 · remote

https://github.com/passwa11/CVE-2023-47218

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-47218, an unauthenticated command injection vulnerability in QNAP QTS and QuTS Hero. The exploit leverages a crafted multipart/form-data request to execute arbitrary commands on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: QNAP QTS and QuTS Hero

No auth needed

Prerequisites: Network access to the target system · Target system running vulnerable QNAP QTS or QuTS Hero

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by sfewer-r7, Spencer McIntyre, jheysel-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/qnap_qts_rce_cve_2023_47218.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in QNAP QTS and QuTS Hero via the quick.cgi endpoint. It uploads a malicious script to the target device and executes it to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: QNAP QTS and QuTS Hero (uninitialized devices)

No auth needed

Prerequisites: Network access to an uninitialized QNAP NAS device · quick.cgi endpoint must be exposed and enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

QNAP QTS and QuTS Hero - OS Command Injection

MEDIUMVERIFIEDby ritikchaddha

Shodan: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"

References (2)

Core 2

Core References

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-23-57

Exploit, Third Party Advisory

https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/

Scores

CVSS v3 5.8

EPSS 0.8916

EPSS Percentile 99.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2024-02-16

InTheWild.io 2024-09-18

CWE

CWE-78 CWE-77

Status published

Products (5)

qnap/qts 5.1.5.2645

qnap/qts 5.1.0 - 5.1.5.2645

qnap/quts_hero h5.1.5.2647

qnap/quts_hero h5.1.0 - h5.1.5.2647

qnap/qutscloud c5.0.0.1919 - c5.1.5.2651

Published Feb 13, 2024

Tracked Since Feb 18, 2026