CVE-2023-47565
published 2023-12-08CVE-2023-47565: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could…
PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-01-11
Exploited in the wild
EPSS
73.28%
99.4th percentile
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qvr_firmware | >= 4.0.0 < 5.0.0 | 5.0.0 |
| qnap_systems_inc | viostor_nvr | >= 4.x < 5.0.0 | 5.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/server/server.cgi
otherSPECIFIC_SERVER=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/server/server.cgi"; fast_pattern; startswith; http.request_body; content:"SPECIFIC_SERVER|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-47565; reference:url,www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched; classtype:attempted-admin; sid:2059878; rev:1;)
- →Exploit targets HTTP POST requests to /cgi-bin/server/server.cgi with the SPECIFIC_SERVER parameter containing OS command injection characters (semicolon, newline, backtick, pipe, dollar sign — both literal and URL-encoded).
- →The vulnerability is exploited via NTP settings manipulation on the device, leading to remote code execution. ↗
- →The InfectedSlurs Mirai-based botnet was observed actively exploiting this CVE against QNAP VioStor NVR devices running QVR firmware 4.x, likely starting in late 2022. ↗
- →Exploitation requires authenticated access (low-privilege authenticated user) over the network (adjacent or remote), with low attack complexity — monitor for unexpected authenticated POST requests to NVR management CGI endpoints. ↗
- ·Only QNAP VioStor NVR devices running QVR Firmware 4.x are affected. Devices already on QVR Firmware 5.0.0 or later are not vulnerable. ↗
- ·EOL VioStor NVR models may not have a firmware 5.x update available and will never receive a patch; the only remediation for those devices is hardware replacement. ↗
- ·The Snort/Suricata rule (sid:2059878) is scoped to plaintext HTTP traffic (tls_state plaintext) and perimeter/internal deployment; it will not fire on TLS-encrypted management traffic.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.0HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vj55-4r38-w2gh: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4
ghsa_unreviewed·2023-12-08
CVE-2023-47565 [HIGH] CWE-78 GHSA-vj55-4r38-w2gh: An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
VulnCheck
QNAP VioStor NVR OS Command Injection Vulnerability
vulncheck·2023·CVSS 8.0
CVE-2023-47565 [HIGH] CWE-78 QNAP VioStor NVR OS Command Injection Vulnerability
QNAP VioStor NVR OS Command Injection Vulnerability
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
Affected: QNAP VioStor NVR
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://go.recordedfuture.com/hubfs/reports/ta-2024-0321.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-09-13&host_type=src&vulnerability=cve-2023-47565; https://dashboard.shadowserver.org/statistics/hon
CISA ICS
QNAP VioStor NVR
cisa_ics·2023-12-21·CVSS 8.0
[HIGH] QNAP VioStor NVR
ICS Advisory
##
QNAP VioStor NVR
Release DateDecember 21, 2023
Alert CodeICSA-23-355-02
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.0
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: QNAP
- Equipment: VioStor NVR
- Vulnerability: OS Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution by exploiting NTP settings.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of QNAP VioStor NVR, are affected:
- VioStor NVR QVR firmware: All versions prior to 4.x
## 3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJEC
CISA
QNAP VioStor NVR OS Command Injection Vulnerability
cisa·2023-12-21·CVSS 8.8
CVE-2023-47565 [HIGH] CWE-78 QNAP VioStor NVR OS Command Injection Vulnerability
Vulnerability: QNAP VioStor NVR OS Command Injection Vulnerability
Affected: QNAP VioStor NVR
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.qnap.com/en/security-advisory/qsa-23-48 ; https://nvd.nist.gov/vuln/detail/CVE-2023-47565
Remediation Due Date: 2024-01-11
Suricata
ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565)
suricata·2025-02-04·CVSS 8.0
CVE-2023-47565 [HIGH] ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565)
ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP Viostor server.cgi SPECIFIC_SERVER Parameter Command Injection Attempt (CVE-2023-47565)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/server/server.cgi"; fast_pattern; startswith; http.request_body; content:"SPECIFIC_SERVER|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-47565; reference:url,www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched; classtype:attempted-admin; sid:2059878; rev:1; metadata:affected_product QNAP, attack_target Networki
No public exploits indexed.
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Bleepingcomputer
QNAP VioStor NVR vulnerability actively exploited by malware botnet
blogs_bleepingcomputer·2023-12-16·CVSS 8.0
[HIGH] QNAP VioStor NVR vulnerability actively exploited by malware botnet
## QNAP VioStor NVR vulnerability actively exploited by malware botnet
## Bill Toulas
A Mirai-based botnet named 'InfectedSlurs' is exploiting a remote code execution (RCE) vulnerability in QNAP VioStor NVR (Network Video Recorder) devices to hijack and make them part of its DDoS (distributed denial of service) swarm.
The botnet was discovered by Akamai's Security Intelligence Response Team (SIRT) in October 2023, who observed the exploitation of two zero-day vulnerabilities in routers and NVR devices, likely starting in late 2022.
At the time, and due to the vendors not having released patches, Akamai opted not to disclose any information about the flaws that InfectedSlurs was exploiting.
As the security updates or information about the two zero-days have been made available, Akamai
2023-12-08
Published
2023-12-21
Added to CISA KEV
Exploited in the wild