cbcvebase.
CVE-2023-47218
published 2024-02-13

CVE-2023-47218: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to…

PriorityP188high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.16%
99.8th percentile
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Affected

8 ranges
VendorProductVersion rangeFixed in
qnapqts
qnapqts>= 5.1.0 < 5.1.5.26455.1.5.2645
qnapquts_hero
qnapquts_hero>= h5.1.0 < h5.1.5.2647h5.1.5.2647
qnapqutscloud>= c5.0.0.1919 < c5.1.5.2651c5.1.5.2651
qnap_systems_incqts>= 5.1.x < 5.1.5.2645 build 202401165.1.5.2645 build 20240116
qnap_systems_incquts_hero>= h5.1.x < h5.1.5.2647 build 20240118h5.1.5.2647 build 20240118
qnap_systems_incqutscloud>= c5.x < c5.1.5.2651c5.1.5.2651

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/quick/quick.cgi
url/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image
command%22$($(echo -n aWQ=|base64 -d)>{{file}})%22
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP quick.cgi uploaf_firmware_image Command Injection Attempt (CVE-2023-47218)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image"; fast_pattern; http.user_agent; content:"Mozilla"; content:"Macintosh"; http.request_body; content:"|3d 22|%22"; content:"|22|"; within:200; reference:url,www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/; reference:cve,2023-47218; classtype:trojan-activity; sid:2050811; rev:1; metadata:affected_product QNAP, attack_target Networking_Equipment, created_at 2024_02_13, cve CVE_2023_47218, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_02_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • The vulnerable endpoint `quick.cgi` is only active on UNINITIALIZED QNAP NAS devices. Once a device is provisioned/initialized, the component is disabled. Detections should focus on devices that have not yet been set up.
  • Exploit POST requests to `/cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image` use a multipart/form-data body with command injection payloads embedded in Content-Disposition field values (not standard field names). Look for `|3d 22|%22` and `|22|` byte patterns in the request body within 200 bytes of each other.
  • Successful exploitation results in a first response containing `code": 200` and `full_path_filename success`, followed by a second request to the dropped file path that returns output containing `uid=` and `gid=` (confirming command execution as a system user).
  • The Snort/ET rule (SID 2050811) also requires User-Agent to contain both `Mozilla` and `Macintosh` strings, which may be characteristic of known exploit tooling for this CVE.
  • ·The vulnerability only affects uninitialized QNAP NAS devices. Perimeter detection should be scoped accordingly; initialized devices are not exposed to this attack vector.

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vulncheck5.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.