⚠ Actively exploited
Added to CISA KEV on 2022-04-11. Federal agencies required to patch by 2022-05-02. Required action: Apply updates per vendor instructions..

CVE-2020-2509Command Injection in Systems INC Quts Hero

CWE-77Command InjectionCWE-78OS Command Injection5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
84.0%
top 0.70%
CISA KEV
KEV
Added 2022-04-11
Due 2022-05-02
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Qnap Systems INC QTSQnap Systems INC Quts HeroQnap QTS+1 more
Timeline
PublishedApr 17
KEV addedApr 11
KEV dueMay 2
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS h

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDqnap/quts_hero< h4.5.1+2
CVEListV5qnap_systems_inc/quts_herounspecifiedh4.5.1.1491 build 20201119
NVDqnap/qts4.3.54.3.6+68
CVEListV5qnap_systems_inc/qtsunspecified4.5.2.1566 Build 20210202+5

🔴Vulnerability Details

3
GHSA
GHSA-77jf-5mcg-g6m9: A command injection vulnerability has been reported to affect QTS and QuTS hero2022-05-24
CVEList
Command Injection Vulnerability in QTS and QuTS hero2021-04-17
VulnCheck
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability2020

📋Vendor Advisories

1
CISA
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability2022-04-11
CVE-2020-2509 — Command Injection | cvebase