Description
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3492 build 20260507 and later
QuTS hero h5.2.9.3499 build 20260514 and later
Published: 2026-06-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw (CWE-78) that permits a remote attacker, once in possession of an administrator account, to execute arbitrary operating system commands on a QNAP device. This capability effectively translates to full remote code execution, compromising confidentiality, integrity, and availability of the device and any data it manages. The impact is thus complete control over the affected system.

Affected Systems

The flaw affects QNAP Systems Inc. products QTS and QuTS hero. Versions earlier than QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514 are susceptible. Any device running those older releases should be considered vulnerable until upgraded.

Risk and Exploitability

Based on the description, it is inferred that the attacker must first obtain administrator credentials—commonly via phishing or credential reuse—before exploiting the injection flaw. The likely attack vector is the remote administrative interface; if the device exposes these interfaces to the network, the vulnerability can be reached from outside the local network. With a CVSS score of 6.1, the risk is moderate, and the EPSS score of <1% indicates low current exploitation probability, though the lack of a KEV listing does not eliminate the need for remediation.

Generated by OpenCVE AI on June 30, 2026 at 03:51 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later


OpenCVE Recommended Actions

  • Install the latest firmware: upgrade QTS to 5.2.9.3492 build 20260507 or newer, or upgrade QuTS hero to h5.2.9.3499 build 20260514 or newer.
  • Restrict remote access to the device’s administrative interfaces, for example by limiting allowed IP addresses or enabling local‑network‑only access.
  • Strengthen administrative account security by enforcing strong, unique passwords, disabling unused admin accounts, and enabling two‑factor authentication if supported.

Generated by OpenCVE AI on June 30, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}


Mon, 15 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qts
Qnap quts Hero
CPEs cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qts
Qnap quts Hero
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qts
Qnap Systems quts Hero
Vendors & Products Qnap Systems
Qnap Systems qts
Qnap Systems quts Hero

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later
Title QTS, QuTS hero
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-30T01:46:02.468Z

Reserved: 2026-01-26T06:41:35.897Z

Link: CVE-2026-24719

cve-icon Vulnrichment

Updated: 2026-06-10T15:47:00.937Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T04:17:17.007

Modified: 2026-06-15T18:33:24.003

Link: CVE-2026-24719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T04:00:08Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')