Description
A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access.

We have already fixed the vulnerability in the following version:
QuNetSwitch 2.0.5.0906 and later
Published: 2026-03-20
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized remote access
Action: Apply Patch
AI Analysis

Impact

A vulnerability involving hard‑coded credentials was identified in QNAP Systems Inc.'s QuNetSwitch device. This flaw permits a remote attacker to authenticate without valid user input, granting unauthorized access to the system. The weakness is classified under CWE-798.

Affected Systems

All releases of QuNetSwitch prior to version 2.0.5.0906 are affected. Products from QNAP Systems Inc. that include QuNetSwitch firmware below this version contain the hard‑coded credential flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.8, indicating moderate severity. The EPSS score is below 1 %, implying a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit the flaw by interacting with the device over the network, targeting the management interface or other exposed services that rely on the hard‑coded credentials. No additional prerequisites beyond network access are described in the advisory.

Generated by OpenCVE AI on March 25, 2026 at 23:54 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

OpenCVE Recommended Actions

  • Upgrade QuNetSwitch to version 2.0.5.0906 or later as released by QNAP
  • Verify the firmware version after the upgrade to ensure the fix has been applied

Generated by OpenCVE AI on March 25, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qunetswitch
CPEs cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qunetswitch
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qunetswitch
Vendors & Products Qnap Systems
Qnap Systems qunetswitch

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later
Title QuNetSwitch
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Qnap Qunetswitch
Qnap Systems Qunetswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:04:41.325Z

Reserved: 2026-01-13T07:49:08.784Z

Link: CVE-2026-22900

cve-icon Vulnrichment

Updated: 2026-03-25T14:04:37.678Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:44.467

Modified: 2026-03-25T21:07:01.093

Link: CVE-2026-22900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:40Z

Weaknesses