HIGH 7.2

CVE-2026-22893: QNAP NAS Command Injection Vulnerability (QTS, QuTS hero) – Patch Guidance

A command injection flaw affects QNAP NAS operating systems. An attacker who obtains administrator credentials can use this vulnerability to run arbitrary commands on the affected device, potentially compromising data integrity, confidentiality, and availability. QNAP has released patched versions addressing this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-78
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is classified as OS command injection (CWE-78), allowing authenticated administrators to execute system commands beyond intended restrictions. The CVSS v3.1 score of 7.2 (HIGH) reflects the requirement for elevated privileges to exploit it, but the impact scope includes confidentiality, integrity, and availability compromise. The attack vector is network-based with low complexity, meaning exploitation does not require user interaction or specific configurations once admin access is obtained.

Business impact

A compromised NAS administrator account becomes a pivot point for lateral movement and data exfiltration within storage infrastructure. Organizations relying on QNAP systems for backup, archival, or primary data storage face potential data loss, ransomware deployment, or compliance violations if command execution allows unauthorized modifications or data access. The severity depends on the NAS's role in backup chains and business continuity plans.

Affected systems

QNAP QTS and QuTS hero operating system versions prior to specific patch builds are affected. Fixed versions include: QTS 5.2.9.3410 build 20260214 and later; QuTS hero h5.2.9.3410 build 20260214 and later; QuTS hero h5.3.4.3500 build 20260520 and later; and QuTS hero h6.0.0.3459 build 20260409 and later. Organizations should inventory their NAS devices and cross-reference against these version thresholds.

Exploitability

Exploitation requires valid administrator credentials, which significantly raises the barrier compared to unauthenticated attacks. However, compromised admin accounts—via phishing, credential reuse, or insider threats—are not uncommon in organizations with poor access controls. Once admin access exists, the vulnerability is straightforward to exploit without special tools or complex setup.

Remediation

Apply vendor-supplied patches immediately. For QTS users, upgrade to build 20260214 or later for version 5.2.9.3410. QuTS hero users should upgrade to the appropriate patched build depending on their branch (h5.2, h5.3, or h6.0). Verify patch installation and validate system functionality post-update. Concurrently, enforce strong administrator password policies, multi-factor authentication where supported, and principle of least privilege for admin role assignments.

Patch guidance

Consult the QNAP security advisory for your specific OS version to confirm the exact build number required. Apply patches during a maintenance window to minimize service disruption. Test patches in a non-production environment if possible. After patching, verify that backup jobs, user access, and network connectivity remain functional. Document the patch application date and build number for compliance audits.

Detection guidance

Monitor NAS system logs for unexpected command execution, especially shell invocations or system calls originating from admin sessions. Intrusion detection systems may flag suspicious process spawning under the NAS OS. Network segmentation to restrict NAS admin access to trusted networks reduces exposure window. Endpoint detection and response (EDR) solutions on management workstations can alert on suspicious interactions with NAS admin interfaces. Review access logs to identify which accounts accessed admin functions and when.

Why prioritize this

Although this vulnerability requires administrator privileges, the combination of network accessibility, high impact scope (C, I, A all affected), and prevalence of QNAP systems in enterprise infrastructure justifies prioritization. Organizations should treat this as medium-to-high priority, especially if their NAS devices store sensitive or backup data and if admin account security posture is uncertain.

Risk score, explained

The CVSS v3.1 score of 7.2 reflects a HIGH severity assessment. The network attack vector and low complexity increase concern, but the requirement for high privilege (PR:H) prevents a Critical rating. The impact on confidentiality, integrity, and availability (all High) underscores the serious consequences of successful exploitation. Context-specific risk may be higher if the NAS is part of backup infrastructure or stores regulated data.

Frequently asked questions

Do I need admin credentials to exploit this vulnerability?

Yes. The vulnerability requires a valid administrator account to trigger. This is both a limiting factor and a concern: while it reduces the attack surface compared to unauthenticated flaws, compromised admin credentials through phishing, password spraying, or insider access remain plausible threats.

What versions of QNAP OS are vulnerable?

QTS and QuTS hero versions before the following builds are affected: QTS 5.2.9.3410 prior to build 20260214, QuTS hero h5.2.9.3410 prior to build 20260214, QuTS hero h5.3.4.3500 prior to build 20260520, and QuTS hero h6.0.0.3459 prior to build 20260409. Check your device's System Information panel to confirm your current build number.

Is this vulnerability being actively exploited in the wild?

This vulnerability has not been added to the CISA KEV catalog, indicating no known public exploits or active attacks at the time of publication. However, this should not defer patching, as the simplicity of command injection attacks means weaponization is relatively straightforward once the flaw is disclosed.

What should I do if I cannot patch immediately?

Prioritize access controls: restrict administrator account creation, enforce strong unique passwords, enable MFA if available, and limit admin access to trusted networks only. Monitor logs for anomalous admin activity. Segregate NAS devices from critical infrastructure where feasible. Plan a patch window as soon as possible.

This analysis is based on vulnerability data available as of the advisory publication date. CVSS scores, patch versions, and KEV status reflect source data at that time and may change. Always verify patch applicability against the official QNAP security advisory and your specific device configuration before deployment. This explainer provides strategic guidance; operational decisions should be tailored to your environment's risk profile and business requirements. No exploit code or step-by-step weaponization instructions are provided herein. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).