Impact
The vulnerability is a command injection flaw (CWE-78) that permits a remote attacker, once in possession of an administrator account, to execute arbitrary operating system commands on a QNAP device. This capability effectively translates to full remote code execution, compromising confidentiality, integrity, and availability of the device and any data it manages. The impact is thus complete control over the affected system.
Affected Systems
The flaw affects QNAP Systems Inc. products QTS and QuTS hero. Versions earlier than QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514 are susceptible. Any device running those older releases should be considered vulnerable until upgraded.
Risk and Exploitability
Based on the description, it is inferred that the attacker must first obtain administrator credentials—commonly via phishing or credential reuse—before exploiting the injection flaw. The likely attack vector is the remote administrative interface; if the device exposes these interfaces to the network, the vulnerability can be reached from outside the local network. With a CVSS score of 6.1, the risk is moderate, and the EPSS score of <1% indicates low current exploitation probability, though the lack of a KEV listing does not eliminate the need for remediation.
OpenCVE Enrichment