CVE-2023-47565
HIGH KEVQVR Firmware 4.0.0-4.x - Authenticated OS Command Injection
Title source: llmExploitation Summary
CVE-2023-47565 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 21, 2023.
Description
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later
References (2)
Core 2
Core References
Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-23-48
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-47565
Scores
CVSS v3
8.0
EPSS
0.8675
EPSS Percentile
99.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2023-12-21
VulnCheck KEV
2023-12-14
InTheWild.io
2023-12-16
ENISA EUVD
EUVD-2023-51676
CWE
CWE-78
Status
published
Products (1)
qnap/qvr_firmware
4.0.0 - 5.0.0
Published
Dec 08, 2023
KEV Added
Dec 21, 2023
Tracked Since
Feb 18, 2026