EUVD-2025-17340CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later
Analysis
Command injection vulnerability affecting QNAP NAS operating systems (QTS and QuTS hero) that allows authenticated remote attackers to execute arbitrary commands with high severity (CVSS 8.8). The vulnerability requires valid user credentials but no user interaction, making it exploitable by compromised accounts or insider threats. QNAP has released patches as of March 21, 2025, and exploitation details are limited in public disclosures at this time.
Technical Context
This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command - Command Injection), indicating that user-supplied input is insufficiently sanitized before being passed to system command execution functions. QNAP NAS systems run proprietary QTS (QNAP Turbo Station) or QuTS hero operating systems that manage network-attached storage and provide remote administration interfaces. The command injection likely occurs in a network-accessible service or administrative function that accepts user input—potentially in web interface parameters, API calls, or configuration management features—and passes this input to shell execution without proper escaping or validation. The affected products are enterprise-grade NAS systems commonly deployed in business, research, and content delivery environments.
Affected Products
- vendor: QNAP; product: QTS; vulnerable_versions: All versions prior to 5.2.4.3079 build 20250321; patched_versions: 5.2.4.3079 build 20250321 and later; cpe_basis: cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:* - vendor: QNAP; product: QuTS hero; vulnerable_versions: All versions prior to h5.2.4.3079 build 20250321; patched_versions: h5.2.4.3079 build 20250321 and later; cpe_basis: cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*
Remediation
- action: Immediate patching; details: Upgrade QTS to version 5.2.4.3079 build 20250321 or later; upgrade QuTS hero to version h5.2.4.3079 build 20250321 or later. Check QNAP's official security advisory and download center for your specific NAS model to obtain the correct firmware image. - action: Access control hardening; details: Until patching is complete, restrict administrative and user access to QNAP NAS web interfaces and APIs. Disable remote access if not required; use VPN or IP whitelisting to limit access to trusted networks only. - action: Credential management; details: Enforce strong, unique passwords for all NAS user accounts. Disable or audit any shared administrative credentials. Implement multi-factor authentication if supported by your QNAP firmware version. - action: Network monitoring; details: Monitor NAS system logs and network traffic for suspicious command patterns or unexpected administrative activity. Alert on failed authentication attempts to NAS management interfaces. - action: Vulnerability tracking; details: Register affected QNAP devices with QNAP's security notification service and monitor CVE databases for any proof-of-concept or active exploitation reports.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today