cbcvebase.
CVE-2023-47565
published 2023-12-08

CVE-2023-47565: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could…

PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-11
Exploited in the wild
EPSS
73.28%
99.4th percentile
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later

Affected

2 ranges
VendorProductVersion rangeFixed in
qnapqvr_firmware>= 4.0.0 < 5.0.05.0.0
qnap_systems_incviostor_nvr>= 4.x < 5.0.05.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/server/server.cgi
otherSPECIFIC_SERVER=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/server/server.cgi"; fast_pattern; startswith; http.request_body; content:"SPECIFIC_SERVER|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-47565; reference:url,www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched; classtype:attempted-admin; sid:2059878; rev:1;)
  • Exploit targets HTTP POST requests to /cgi-bin/server/server.cgi with the SPECIFIC_SERVER parameter containing OS command injection characters (semicolon, newline, backtick, pipe, dollar sign — both literal and URL-encoded).
  • The vulnerability is exploited via NTP settings manipulation on the device, leading to remote code execution.
  • The InfectedSlurs Mirai-based botnet was observed actively exploiting this CVE against QNAP VioStor NVR devices running QVR firmware 4.x, likely starting in late 2022.
  • Exploitation requires authenticated access (low-privilege authenticated user) over the network (adjacent or remote), with low attack complexity — monitor for unexpected authenticated POST requests to NVR management CGI endpoints.
  • ·Only QNAP VioStor NVR devices running QVR Firmware 4.x are affected. Devices already on QVR Firmware 5.0.0 or later are not vulnerable.
  • ·EOL VioStor NVR models may not have a firmware 5.x update available and will never receive a patch; the only remediation for those devices is hardware replacement.
  • ·The Snort/Suricata rule (sid:2059878) is scoped to plaintext HTTP traffic (tls_state plaintext) and perimeter/internal deployment; it will not fire on TLS-encrypted management traffic.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.