vulnerability
QNAP QTS: CVE-2023-39294: Vulnerability in QTS and QuTS hero
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:M/C:P/I:P/A:P) | Jan 6, 2024 | Aug 4, 2025 | Mar 25, 2026 |
Severity
6
CVSS
(AV:N/AC:L/Au:M/C:P/I:P/A:P)
Published
Jan 6, 2024
Added
Aug 4, 2025
Modified
Mar 25, 2026
Description
An OS command injection vulnerability has been reported to affect certain QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.
Solution
qnap-qts-upgrade-latest
References
- CWE-78
- CVE-2023-39294
- https://attackerkb.com/topics/CVE-2023-39294
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39294
- https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-39294
- https://www.qnap.com/en-uk/security-advisory/QSA-23-54
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-43026
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.