Skip to main content

QNAP QTS CVE-2026-22893

| EUVD-2026-35972 HIGH
OS Command Injection (CWE-78)
2026-06-10 qnap GHSA-m6jc-8x3p-vxfx
Qnap Command Injection
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 06:22 vuln.today
Patch available
Jun 10, 2026 - 05:01 EUVD
CVSS changed
Jun 10, 2026 - 04:22 NVD
8.6 (HIGH)
CVE Published
Jun 10, 2026 - 03:06 nvd
UNKNOWN (no severity yet)

DescriptionNVD

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

AnalysisAI

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator credentials to execute arbitrary OS commands on the appliance. The flaw spans multiple QTS and QuTS hero release trains (5.2.x, 5.3.x, and 6.0.x) and has been patched by QNAP across all affected branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify internet-exposed QNAP NAS
Delivery
Obtain admin credentials via spray or reuse
Exploit
Authenticate to QTS/QuTS hero web UI
Install
Submit crafted request with shell metacharacters
C2
Trigger OS command injection (CWE-78)
Execute
Execute arbitrary commands on appliance
Impact
Deploy ransomware or exfiltrate stored data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker already possess valid QNAP administrator credentials on a vulnerable QTS or QuTS hero device (CVSS PR:H), and the management interface must be network-reachable from the attacker (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H scores 8.6 and confirms network-reachable exploitation with low complexity but requiring HIGH privileges (administrator), which substantially narrows the realistic attacker population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained QNAP administrator credentials - for example via password spraying against an internet-exposed NAS, credential reuse from another breach, or chaining with a separate auth bypass - authenticates to the QTS/QuTS hero web interface and submits a crafted request to the vulnerable handler containing shell metacharacters. The injected payload executes as the underlying OS user the management service runs as, enabling deployment of ransomware, exfiltration of stored data, or installation of persistent backdoors. …
Remediation Vendor-released patches are available: upgrade QTS to 5.2.9.3410 build 20260214 or later, QuTS hero on the h5.2.x branch to h5.2.9.3410 build 20260214 or later, QuTS hero on the h5.3.x branch to h5.3.4.3500 build 20260520 or later, and QuTS hero on the h6.0.x branch to h6.0.0.3459 build 20260409 or later, per https://www.qnap.com/en/security-advisory/qsa-26-10. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit inventory for all QNAP QTS and QuTS hero systems; document current firmware versions and identify appliances on affected branches (5.2.x, 5.3.x, 6.0.x). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-41539 HIGH
8.7 Jun 09

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a
CVE-2025-66273 HIGH
8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already
CVE-2025-66279 HIGH
8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to

CVE-2026-24719 HIGH
8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an

CVE-2025-66281 MEDIUM
6.9 Jun 10

NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to cras

Share

CVE-2026-22893 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy