Description
A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following version:
QuNetSwitch 2.0.4.0415 and later
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection vulnerability in QNAP Systems Inc.’s QuNetSwitch allows remote attackers to supply arbitrary command payloads via unsanitized inputs. Successful exploitation permits execution of arbitrary system commands, potentially resulting in full compromise of the switch and unauthorized access to network resources. The weakness is described by CWE-78.

Affected Systems

The vulnerability affects devices running QuNetSwitch firmware versions prior to 2.0.4.0415. All users of earlier firmware are vulnerable; the issue is fixed in version 2.0.4.0415 and later. Check the current firmware version against this baseline.

Risk and Exploitability

The advisory lists a CVSS base score of 8.1, indicating high severity, and an EPSS score of 1%, suggesting a modest likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote network access to the switch’s management interface, where an attacker can craft input to trigger the command execution.

Generated by OpenCVE AI on March 25, 2026 at 23:54 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later

OpenCVE Recommended Actions

  • Upgrade QuNetSwitch firmware to version 2.0.4.0415 or later
  • Verify successful installation by checking firmware version and rebooting the device
  • Monitor logs for anomalous command execution attempts
  • If upgrade is not immediately possible, block external access to the switch management interface and isolate the device with network segmentation

Generated by OpenCVE AI on March 25, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qunetswitch
CPEs cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qunetswitch
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qunetswitch
Vendors & Products Qnap Systems
Qnap Systems qunetswitch

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later
Title QuNetSwitch
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Qnap Qunetswitch
Qnap Systems Qunetswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:03:53.117Z

Reserved: 2026-01-13T07:49:08.784Z

Link: CVE-2026-22897

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:44.147

Modified: 2026-03-25T21:06:25.027

Link: CVE-2026-22897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:39Z

Weaknesses