Skip to main content

Qunetswitch CVE-2026-22900

| EUVDEUVD-2026-13720 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-03-20 qnap
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.5.0906
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2026-13720
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
MEDIUM 6.8

DescriptionCVE.org

A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access.

We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

AnalysisAI

QuNetSwitch contains hard-coded credentials that allow remote attackers to bypass authentication and gain unauthorized access to affected systems. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, where credentials are embedded in the application code rather than properly managed through secure credential storage mechanisms. Remote attackers can exploit this weakness without requiring valid user credentials, leading to complete compromise of the network switch management interface.

Technical ContextAI

The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), a critical authentication flaw where sensitive credentials are embedded directly into the QuNetSwitch application codebase rather than being dynamically managed through secure credential stores or external authentication services. This affects QNAP Systems Inc. QuNetSwitch (identified via CPE cpe:2.3:a:qnap_systems_inc.:qunetswitch:*:*:*:*:*:*:*:*), which is a network management platform. Hard-coded credentials are particularly dangerous in networked appliances because they cannot be rotated or revoked at runtime, persist across configuration resets, and are often discoverable through reverse engineering, firmware analysis, or public disclosure. The vulnerability bypasses the entire authentication layer, making it a authentication bypass condition rather than a simple weak password issue.

RemediationAI

Immediately upgrade QuNetSwitch to version 2.0.5.0906 or later to eliminate the hard-coded credentials vulnerability. This is the primary and most effective mitigation. Until patching is completed, implement network-level controls by restricting QuNetSwitch management interface access to trusted administrative networks only using firewall rules, VPNs, or air-gapping from untrusted segments. Monitor QuNetSwitch logs for unauthorized access attempts and consider deploying intrusion detection signatures targeting credential enumeration or authentication bypass patterns. Organizations unable to patch immediately should prioritize this update in their change management process due to the authentication bypass nature and ease of exploitation. Refer to the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-11 for detailed patching instructions and additional context.

Share

CVE-2026-22900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy