CVE-2020-2509 - Vulnerability Details

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is in the KEV database since April 11, 2022.

The EPSS score is 0.74036.

Exploitation active

Automatable yes

Technical Impact total

Vendors	Products
Qnap	Qts Quts Hero

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts:4.2.6:-::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20170517::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20190322::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20190730::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20190921::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20191107::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20200109::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20200421::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20200611::::::
	cpe:2.3:o:qnap:qts:4.2.6:build_20200821::::::
	cpe:2.3:o:qnap:qts:4.3.3.0174:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.0868:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.0998:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1051:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1098:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1161:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1252:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1315:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1386:::::::*
	cpe:2.3:o:qnap:qts:4.3.3.1432:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0358:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0358:beta1::::::
	cpe:2.3:o:qnap:qts:4.3.4.0370:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0370:beta1::::::
	cpe:2.3:o:qnap:qts:4.3.4.0372:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0372:beta1::::::
	cpe:2.3:o:qnap:qts:4.3.4.0374:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0374:beta1::::::
	cpe:2.3:o:qnap:qts:4.3.4.0387:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0387:beta2::::::
	cpe:2.3:o:qnap:qts:4.3.4.0411:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0416:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0427:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0434:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0435:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0451:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0483:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0486:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0506:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0516:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0526:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0551:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0557:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0561:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0569:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0593:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0597:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0604:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.0899:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1029:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1082:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1190:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1282:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1368:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1417:::::::*
	cpe:2.3:o:qnap:qts:4.3.4.1463:::::::*
	cpe:2.3:o:qnap:qts:4.3.6:-::::::
	cpe:2.3:o:qnap:qts:4.3.6.0895:::::::*
	cpe:2.3:o:qnap:qts:4.3.6.0907:::::::*
	cpe:2.3:o:qnap:qts:4.3.6.0923:::::::*
	cpe:2.3:o:qnap:qts:4.3.6.0944:::::::*
cpe:2.3:o:qnap:qts:4.3.6.0959:::::::*
cpe:2.3:o:qnap:qts:4.3.6.0979:::::::*
cpe:2.3:o:qnap:qts:4.3.6.0993:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1013:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1033:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1070:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1154:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1218:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1263:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1286:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1333:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1411:::::::*
cpe:2.3:o:qnap:qts:4.3.6.1446:::::::*
cpe:2.3:o:qnap:qts:4.5.1:-::::::
cpe:2.3:o:qnap:qts:4.5.1.1456:::::::*
cpe:2.3:o:qnap:qts:4.5.1.1461:::::::*
cpe:2.3:o:qnap:qts:4.5.1.1465:::::::*
cpe:2.3:o:qnap:qts:4.5.1.1480:::::::*
cpe:2.3:o:qnap:qts:4.5.2:-::::::
cpe:2.3:o:qnap:quts_hero::::::::
cpe:2.3:o:qnap:quts_hero:h4.5.1:-::::::
cpe:2.3:o:qnap:quts_hero:h4.5.1.1472:::::::*

No data.

Advisories

No advisories yet.

Fixes

Solution

QNAP has already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509
https://www.qnap.com/en/security-advisory/qsa-21-05

History

Wed, 22 Oct 2025 00:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509

Tue, 21 Oct 2025 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.86915}`	epss `{'score': 0.84258}`

Thu, 06 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-04-11'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Sep 2024 00:00:00 +0000

Type	Values Removed	Values Added
Title	Command Injection Vulnerability in QTS and QuTS hero	Command Injection Vulnerability in QTS and QuTS hero

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2021-04-17T03:50:12.655Z

Updated: 2025-10-21T23:25:49.063Z

Reserved: 2019-12-09T00:00:00.000Z

Link: CVE-2020-2509

Vulnrichment

Updated: 2024-08-04T07:09:54.659Z

NVD

Status : Modified

Published: 2021-04-17T04:15:11.327

Modified: 2025-10-22T00:17:06.057

Link: CVE-2020-2509

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation active

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object