Description
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3492 build 20260507 and later
QuTS hero h5.2.9.3499 build 20260514 and later
Published: 2026-06-10
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw that permits a remote attacker with administrative privileges to execute arbitrary operating system commands on a QNAP device, leading to full remote code execution and compromise of confidentiality, integrity, and availability. The weakness is defined as CWE‑78.

Affected Systems

The flaw affects QNAP Systems Inc. products QTS and QuTS hero. Versions prior to QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514 are susceptible. All systems running those older releases should be considered vulnerable until upgraded.

Risk and Exploitability

The flaw carries a CVSS score of 8.6, indicating high severity. Although the EPSS score is not currently available, the lack of a KEV listing does not guarantee low risk; the attacker still needs administrator credentials, which may be obtained through phishing or credential harvesting. The attack vector is remote network, making the vulnerability exploitable from outside the local network if administrative interfaces are exposed. Once exploited, the attacker can gain full control of the device.

Generated by OpenCVE AI on June 10, 2026 at 04:21 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

OpenCVE Recommended Actions

  • Install the latest firmware: upgrade QTS to 5.2.9.3492 build 20260507 or newer, or upgrade QuTS hero to h5.2.9.3499 build 20260514 or newer.
  • Restrict remote access to the device’s administrative interfaces, for example by limiting allowed IP addresses or enabling local‑network‑only access.
  • Strengthen administrative account security by enforcing strong, unique passwords, disabling unused admin accounts, and enabling two‑factor authentication if supported.

Generated by OpenCVE AI on June 10, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qts
Qnap Systems quts Hero
Vendors & Products Qnap Systems
Qnap Systems qts
Qnap Systems quts Hero

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later
Title QTS, QuTS hero
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Systems Qts Quts Hero
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-10T03:14:52.892Z

Reserved: 2026-01-26T06:41:35.897Z

Link: CVE-2026-24719

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T04:17:17.007

Modified: 2026-06-10T04:17:17.007

Link: CVE-2026-24719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T04:30:06Z

Weaknesses