Description
A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following version:
QuNetSwitch 2.0.5.0906 and later
Published: 2026-03-20
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in QuNetSwitch that allows a local administrator to execute arbitrary system commands, potentially compromising the device's confidentiality, integrity, and availability. This weakness corresponds to CWE-78, indicating a system command injection.

Affected Systems

The impacted product is QNAP Systems Inc.’s QuNetSwitch, with all versions before 2.0.5.0906 being vulnerable; versions 2.0.5.0906 and later have been patched.

Risk and Exploitability

The CVSS score of 5.7 reflects moderate severity, while the EPSS score of below 1 % indicates a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be a local attacker who has gained administrator access, requiring preexisting network compromise.

Generated by OpenCVE AI on March 25, 2026 at 23:55 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

OpenCVE Recommended Actions

  • Update QuNetSwitch to version 2.0.5.0906 or later

Generated by OpenCVE AI on March 25, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qunetswitch
CPEs cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qunetswitch
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qunetswitch
Vendors & Products Qnap Systems
Qnap Systems qunetswitch

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later
Title QuNetSwitch
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Qnap Qunetswitch
Qnap Systems Qunetswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:05:39.936Z

Reserved: 2026-01-13T07:49:08.784Z

Link: CVE-2026-22902

cve-icon Vulnrichment

Updated: 2026-03-25T14:05:37.238Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:44.783

Modified: 2026-03-25T20:50:13.897

Link: CVE-2026-22902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:42Z

Weaknesses