⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2017-6361OS Command Injection in Qnap QTS

CWE-78OS Command Injection9 documents6 sources
Severity
9.8CRITICALNVD
EPSS
90.5%
top 0.39%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Qnap QTS
Timeline
PublishedMar 23
Latest updateMay 13

Description

QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDqnap/qts4.2.4

🔴Vulnerability Details

3
GHSA
GHSA-pv6p-xwp7-mhqm: QNAP QTS before 42022-05-13
CVEList
CVE-2017-6361: QNAP QTS before 42017-03-23
VulnCheck
QNAP QTS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2017

💥Exploits & PoCs

1
Exploit-DB
QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection2017-04-07

🕵️Threat Intelligence

4
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs2018-07-13
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs2018-07-13
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs2018-07-13
Trendmicro
Identifying Top Vulnerabilities in Networks2018-05-29
CVE-2017-6361 — OS Command Injection in Qnap QTS | cvebase