Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access.
We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later
AnalysisAI
QuNetSwitch contains hard-coded credentials that allow remote attackers to bypass authentication and gain unauthorized access to affected systems. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, where credentials are embedded in the application code rather than properly managed through secure credential storage mechanisms. Remote attackers can exploit this weakness without requiring valid user credentials, leading to complete compromise of the network switch management interface.
Technical ContextAI
The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), a critical authentication flaw where sensitive credentials are embedded directly into the QuNetSwitch application codebase rather than being dynamically managed through secure credential stores or external authentication services. This affects QNAP Systems Inc. QuNetSwitch (identified via CPE cpe:2.3:a:qnap_systems_inc.:qunetswitch:*:*:*:*:*:*:*:*), which is a network management platform. Hard-coded credentials are particularly dangerous in networked appliances because they cannot be rotated or revoked at runtime, persist across configuration resets, and are often discoverable through reverse engineering, firmware analysis, or public disclosure. The vulnerability bypasses the entire authentication layer, making it a authentication bypass condition rather than a simple weak password issue.
RemediationAI
Immediately upgrade QuNetSwitch to version 2.0.5.0906 or later to eliminate the hard-coded credentials vulnerability. This is the primary and most effective mitigation. Until patching is completed, implement network-level controls by restricting QuNetSwitch management interface access to trusted administrative networks only using firewall rules, VPNs, or air-gapping from untrusted segments. Monitor QuNetSwitch logs for unauthorized access attempts and consider deploying intrusion detection signatures targeting credential enumeration or authentication bypass patterns. Organizations unable to patch immediately should prioritize this update in their change management process due to the authentication bypass nature and ease of exploitation. Refer to the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-11 for detailed patching instructions and additional context.
More in Qunetswitch
View allRemote command execution in QuNetSwitch versions prior to 2.0.4.0415 allows unauthenticated attackers to execute arbitra
A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP
Command injection in QuNetSwitch allows authenticated remote attackers to execute arbitrary commands on affected systems
Arbitrary command execution in QuNetSwitch can be achieved by local attackers with administrator privileges due to insuf
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13720