EUVD-2026-35977
GHSA-8fh7-4j6j-cx8g
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.
We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later
AnalysisAI
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an administrator account to execute arbitrary OS commands on the appliance. The flaw carries a CVSS 4.0 score of 8.6, but the PR:H requirement substantially narrows the attacker population; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid QNAP administrator account on the target NAS (CVSS PR:H) and network reachability to the device's administrative web interface (AV:N); no victim user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point in opposite directions and must be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has phished, brute-forced, or replayed a stolen administrator credential logs into the QNAP web UI over the network and submits a crafted value to a vulnerable admin endpoint that embeds the input into a shell command. The injected metacharacters cause the NAS to execute arbitrary OS commands with the privileges of the underlying service, giving the attacker a persistent foothold on the appliance and access to all stored data. … |
| Remediation | Apply the vendor-released patches: upgrade QTS to 5.2.9.3492 build 20260507 or later, and QuTS hero to h5.2.9.3499 build 20260514 or later, as published in QNAP advisory QSA-26-23 (https://www.qnap.com/en/security-advisory/qsa-26-23). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and catalog all QNAP NAS systems running QTS versions prior to 5.2.9.3492 or QuTS hero versions prior to h5.2.9.3499; audit administrator account access and credential management. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already
Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to
Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator cred
NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to cras
Share
External POC / Exploit Code
Leaving vuln.today