CVE-2020-2509
published 2021-04-17CVE-2020-2509: A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-02
Exploited in the wild
EPSS
34.17%
98.2th percentile
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
Affected
79 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | < 4.2.6 | 4.2.6 |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is command injection on QNAP QTS and QuTS hero NAS devices; monitor for unexpected process spawning from NAS web application processes (e.g., shell commands executed by the NAS management interface) ↗
- →QNAP NAS devices exposed to the network should be monitored for anomalous outbound connections or remote code execution indicators, as this vulnerability enables RCE ↗
- ·Vulnerability affects multiple QTS and QuTS hero firmware branches; patched versions vary per branch — ensure version checks account for all affected lines (QTS 4.2.x, 4.3.3.x, 4.3.4.x, 4.3.6.x, 4.5.1.x, 4.5.2.x, and QuTS hero h4.5.1.x) ↗
- ·This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation; treat all unpatched QNAP NAS devices as actively at risk ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
cisa·2022-04-11·CVSS 9.8
CVE-2020-2509 [CRITICAL] CWE-77 QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
Vulnerability: QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
Affected: QNAP QNAP Network-Attached Storage (NAS)
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-2509
Remediation Due Date: 2022-05-02
GHSA
GHSA-77jf-5mcg-g6m9: A command injection vulnerability has been reported to affect QTS and QuTS hero
ghsa_unreviewed·2022-05-24
CVE-2020-2509 [CRITICAL] CWE-77 GHSA-77jf-5mcg-g6m9: A command injection vulnerability has been reported to affect QTS and QuTS hero
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
VulnCheck
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-2509 [CRITICAL] CWE-77 QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.
Affected: QNAP QNAP Network-Attached Storage (NAS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/alerts/2022/04/27/2021-top-routinely-exploited-vulnerabilities; https://cisa.gov/news-events/cybersecurity-advisories/aa22-117a; https://www.ivanti.com/resources/v/doc/pr-survey-report/ransomware-quarterly-indexreport_q2-q3
Exploit PoC: https://vulncheck.com/xdb/533b5e83b1eb
Remediation Due: 2022-05-02
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-17
Published
2022-04-11
Added to CISA KEV
Exploited in the wild