Published: 17/04/2021 Updated: 14/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows malicious users to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Vulnerable Product	Search on Vulmon	Subscribe to Product
qnap qts 4.3.4.0387
qnap qts 4.3.4.0370
qnap qts 4.3.4.0372
qnap qts 4.3.4.0374
qnap qts 4.3.4.0358
qnap qts 4.3.4.0604
qnap qts 4.3.4.0597
qnap qts 4.3.4.0593
qnap qts 4.3.4.0569
qnap qts 4.3.4.0561
qnap qts 4.3.4.0516
qnap qts 4.3.4.0526
qnap qts 4.3.4.0551
qnap qts 4.3.4.0557
qnap qts 4.3.6.1033
qnap qts 4.3.6.1013
qnap qts 4.3.6.0993
qnap qts 4.3.6.0979
qnap qts 4.3.6.0959
qnap qts 4.3.6.0944
qnap qts 4.3.6.0923
qnap qts 4.3.6.0907
qnap qts 4.3.6.0895
qnap qts 4.3.3.0998
qnap qts 4.3.3.0868
qnap qts 4.3.4.1029
qnap qts 4.3.4.0899
qnap qts 4.2.6
qnap qts
qnap qts 4.3.4.1368
qnap qts 4.3.4.1417
qnap qts 4.3.4.0411
qnap qts 4.3.4.0416
qnap qts 4.3.4.0427
qnap qts 4.3.4.0434
qnap qts 4.3.4.0435
qnap qts 4.3.4.0451
qnap qts 4.3.4.0483
qnap qts 4.3.4.0486
qnap qts 4.3.4.0506
qnap qts 4.3.4.1082
qnap qts 4.3.4.1190
qnap qts 4.3.4.1282
qnap qts 4.3.3.1315
qnap qts 4.3.3.1386
qnap qts 4.3.3.0174
qnap qts 4.3.3.1051
qnap qts 4.3.3.1098
qnap qts 4.3.3.1161
qnap qts 4.3.3.1252
qnap qts 4.5.2
qnap qts 4.5.1
qnap qts 4.3.6.1286
qnap qts 4.3.6.1333
qnap qts 4.3.6.1411
qnap qts 4.3.6
qnap qts 4.3.6.1070
qnap qts 4.3.6.1154
qnap qts 4.3.6.1218
qnap qts 4.3.6.1263
qnap qts 4.3.6.1446
qnap qts 4.3.3.1432
qnap qts 4.5.1.1456
qnap qts 4.5.1.1461
qnap qts 4.5.1.1465
qnap qts 4.5.1.1480
qnap qts 4.3.4.1463
qnap quts hero
qnap quts hero h4.5.1.1472
qnap quts hero h4.5.1

QNAP N-Day (Probably not CVE-2020-2509)

Overkill Overkill is an exploit for a patched vulnerability affecting QNAP QTS Due to the way QNAP discloses vulnerabilities, I'm unsure if this issue has a CVE or not However, it was likely patched in November 2020 and April 2021 The n-day was "discovered" while doing diff analysis for CVE-2020-2509 This is almost certainly not CVE-2020-2509 The exploit wil

QNAP caught napping as disclosure delay expires, critical NAS bugs revealed

The Register • Thomas Claburn in San Francisco • 02 Apr 2021

Remote code execution hole, arbitrary file writing flaw could make a mess of stored files Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections

Updated Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files. The vulnerabilities were made known to the Taiwan-based company on October 12, 2020, and on November 29, 2020, by SAM Seamless Network, a connected home security firm. They were found in the QNAP TS-231's latest firmware, version 4.3.6.1446, which SAM claims wa...

CVE-2020-2509

Vulnerability Summary

Vulnerability Trend

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect