A command injection vulnerability (CWE‑78) is present in the QNAP operating system for QTS and QuTS hero. An attacker who has local network access and a valid user account can supply specially crafted input that is passed to the system shell, enabling the execution of arbitrary operating‑system commands. This allows the attacker to compromise the integrity and availability of the NAS device, potentially installing malware, modifying configuration files, or exfiltrating data.

The vulnerability affects QNAP Systems Inc. QTS and QuTS hero firmware versions prior to the patches listed in the vendor advisory. Specifically, QTS firmware earlier than build 20241120 (versions up to QTS 5.1.9.2954) and earlier than build 20250108 (versions up to QTS 5.2.3.3006) are vulnerable, as are QuTS hero firmware before build 20241120 (versions up to h5.1.9.2954) and before build 20250108 (versions up to h5.2.3.3006). The extensive list of cpe strings confirms that multiple sub‑versions across the 5.1.x, 5.2.x, h5.1.x, and h5.2.x lines are affected.

Because an attacker must already possess local network credentials to exploit the flaw, the attack vector is classified as local (L). The CVSS score of 2.0 indicates low severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. This vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, any enabled feature that accepts user‑controlled input without proper sanitisation can be abused by a malicious local user, so remediation is recommended as a precaution.