Skip to main content

Qunetswitch CVE-2026-22901

| EUVDEUVD-2026-13722 MEDIUM
OS Command Injection (CWE-78)
2026-03-20 qnap
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.5.0906
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2026-13722
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
MEDIUM 6.3

DescriptionCVE.org

A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

AnalysisAI

Command injection in QuNetSwitch allows authenticated remote attackers to execute arbitrary commands on affected systems with high impact to confidentiality and integrity. The vulnerability requires valid user credentials to exploit but poses significant risk to systems running versions prior to 2.0.5.0906. No patch is currently available for this CVSS 6.3 medium-severity issue.

Technical ContextAI

QuNetSwitch is a network management application developed by QNAP Systems Inc., identified via CPE as cpe:2.3:a:qnap_systems_inc.:qunetswitch:*:*:*:*:*:*:*:*. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command, also known as OS Command Injection), which indicates that user-supplied input is passed unsanitized to system command execution functions without adequate filtering or escaping. This class of vulnerability typically arises when application code directly constructs shell commands from untrusted input or fails to use safe command invocation APIs (such as parameterized command libraries instead of shell concatenation).

RemediationAI

Upgrade QNAP QuNetSwitch to version 2.0.5.0906 or later immediately, following QNAP's official patching guidance provided in the security advisory at https://www.qnap.com/en/security-advisory/qsa-26-11. Until patching can be completed, restrict network access to the QuNetSwitch management interface to trusted administrative IP addresses or networks, enforce strong password policies to reduce the likelihood of credential compromise, and monitor user account activity and command execution logs for suspicious behavior. If QuNetSwitch is exposed to untrusted networks, isolate it behind a firewall with granular access controls until the patch is deployed.

Share

CVE-2026-22901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy