VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 2, 2024· Updated Jun 16, 2025

QTS, QuTS hero, QuTScloud

CVE-2023-45025

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An OS command injection in QNAP operating systems allows authenticated users to execute arbitrary commands over the network.

Vulnerability

An OS command injection vulnerability exists in QNAP QTS, QuTS hero, and QuTScloud operating systems. The flaw can be triggered when the system is in a certain configuration, allowing command injection via network requests. Affected versions include QTS 5.1.x and 4.5.x, QuTS hero h5.1.x and h4.5.x, and QuTScloud 5.x [1].

Exploitation

To exploit this vulnerability, an attacker must have network access and the ability to send specially crafted requests to the affected system. User interaction may be required depending on the specific configuration. The exact attack vector and necessary privileges are not detailed in the available references [1].

Impact

Successful exploitation can allow users to execute arbitrary operating system commands on the device via the network. This could lead to full compromise of the NAS, including data exposure, modification, or disruption of services [1].

Mitigation

QNAP has fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later, QTS 4.5.4.2627 build 20231225 and later, QuTS hero h5.1.4.2596 build 20231128 and later, QuTS hero h4.5.4.2626 build 20231225 and later, and QuTScloud c5.1.5.2651 and later [1]. Users should update their systems to the latest available version. No workarounds are provided.

References
  1. Vulnerability in QTS, QuTS hero and QuTScloud - Security Advisory

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Qnap/Qtsllm-fuzzy
    Range: <= 5.1.4.2596 build 20231128, <= 4.5.4.2627 build 20231225
  • Qnap/QuTS herollm-fuzzy
    Range: <= h5.1.4.2596 build 20231128, <= h4.5.4.2626 build 20231225
  • Qnap/QuTScloudllm-fuzzy
    Range: <= c5.1.5.2651
  • QNAP Systems Inc./QTSv5
    Range: 5.1.x
  • QNAP Systems Inc./QuTScloudv5
    Range: c5.x.x
  • QNAP Systems Inc./QuTS herov5
    Range: h5.1.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.