CVE-2023-47565

HIGH KEV

Qnap Qvr Firmware < 5.0.0 - OS Command Injection

Title source: rule

Description

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later

References (2)

[Vendor Advisory] https://www.qnap.com/en/security-advisory/qsa-23-48

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-47565

Scores

CVSS v3 8.0

EPSS 0.8675

EPSS Percentile 99.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-12-21

VulnCheck KEV 2023-12-14

InTheWild.io 2023-12-16

ENISA EUVD EUVD-2023-51676

CWE

CWE-78

Status published

Products (1)

qnap/qvr_firmware 4.0.0 - 5.0.0

Published Dec 08, 2023

KEV Added Dec 21, 2023

Tracked Since Feb 18, 2026