Skip to main content

Qnap

Vendor security scorecard – 273 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 1395
273
CVEs
50
Critical
83
High
7
KEV
24
PoC
118
Unpatched C/H
18.3%
Patch Rate
4.8%
Avg EPSS

Severity Breakdown

CRITICAL
50
HIGH
83
MEDIUM
116
LOW
24

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2017-6361 QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.5%. CRITICAL 9.8 90.5% 160
PoC No patch
CVE-2017-6360 QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.0%. CRITICAL 9.8 80.0% 149
PoC No patch
CVE-2017-13067 QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 51.1%. CRITICAL 9.8 51.1% 135
PoC No patch
CVE-2017-6359 QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.4%. CRITICAL 9.8 61.4% 130
PoC No patch
CVE-2018-0706 Exposure of Private Information in QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to access sensitive information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.8 48.7% 79
PoC No patch
CVE-2017-5227 QNAP QTS before 4.2.4 Build 20170313 allows local users to obtain sensitive Domain Administrator password information by reading data in an XOR format within the /etc/config/uLinux.conf configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.5%. HIGH 7.5 19.5% 77
PoC No patch
CVE-2017-7876 This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 10.0 6.7% 77
PoC No patch
CVE-2018-0707 Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. HIGH 7.2 59.2% 71
PoC No patch
CVE-2019-7192 This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 88.2% 69
KEV PoC No patch
CVE-2019-7193 This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 14.4% 69
KEV PoC No patch
CVE-2019-7194 This external control of file name or path vulnerability allows remote attackers to access or modify system files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 83.0% 69
KEV PoC No patch
CVE-2019-7195 This external control of file name or path vulnerability allows remote attackers to access or modify system files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 89.7% 69
KEV PoC No patch
CVE-2021-28799 An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. CRITICAL 9.8 78.4% 69
KEV PoC No patch
CVE-2022-27593 An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. CRITICAL 9.1 87.9% 66
KEV PoC No patch
CVE-2018-0708 Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.8 26.3% 64
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy