Primary

Context

QNAP Operating Systems Command Injection Vulnerability

Vulnerability

Patched

A command injection vulnerability exists in several QNAP operating system versions. This vulnerability allows an attacker with local network access and a user account to execute arbitrary commands. Affected QNAP operating system versions include QTS 5.1.9.2954 build 20241120 and earlier, QTS 5.2.3.3006 build 20250108 and earlier, QuTS hero h5.1.9.2954 build 20241120 and earlier, and QuTS hero h5.2.3.3006 build 20250108 and earlier.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system.

Remediation

Users can upgrade to QTS 5.1.9.2954 build 20241120, QTS 5.2.3.3006 build 20250108, QuTS hero h5.1.9.2954 build 20241120, or QuTS hero h5.2.3.3006 build 20250108 to address this vulnerability.

Added: Mar 11, 2026, 8:25 AM

Updated: Mar 11, 2026, 8:25 AM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

7.5

exploitability

3.5

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

7.5

exploitability

3.5

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QNAP Operating Systems Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

QNAP QTS

QNAP QuTS hero

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating