VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 13, 2024· Updated May 7, 2025

QTS, QuTS hero, QuTScloud

CVE-2023-47218

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated OS command injection vulnerability in QNAP QTS and QuTS hero's quick.cgi component allows remote attackers to execute arbitrary commands on uninitialized NAS devices.

Vulnerability

The vulnerability resides in the quick.cgi component of QNAP QTS and QuTS hero operating systems, which is exposed via the web-based administration interface on uninitialized NAS devices. This component is intended for initial device provisioning and is disabled after successful initialization. Affected versions include QTS 5.x and 4.x, QuTS hero h5.x and h4.x, and QuTScloud 5.x. The issue is an OS command injection flaw that allows unauthenticated remote code execution [1][2].

Exploitation

An attacker with network access to an uninitialized QNAP NAS device can exploit this vulnerability without authentication. By sending specially crafted HTTP requests to the quick.cgi endpoint, the attacker can inject arbitrary operating system commands. The device must not have been previously initialized (i.e., still in its out-of-box state) for the endpoint to be active [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the target NAS device with root privileges. This can lead to full compromise of the device, including data exfiltration, installation of malware, and further lateral movement within the network [1][2].

Mitigation

QNAP has released fixed versions: QTS 5.1.5.2645 build 20240116 and later, QuTS hero h5.1.5.2647 build 20240118 and later, and QuTScloud c5.1.5.2651 and later. Partially fixed versions are also available for some product lines (e.g., QTS 5.1.0.2444) but full remediation requires installing the fully fixed version [2]. The vendor advisory (QSA-23-57) provides detailed version information [2]. No workaround is available; users should update immediately.

References
  1. CVE-2023-47218: QNAP QTS and QuTS Hero Unauthenticated Command Injection (FIXED) | Rapid7 Blog
  2. Multiple Vulnerabilities in QTS, QuTS hero and QuTScloud - Security Advisory

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Qnap/Qtsllm-fuzzy
    Range: >=5.1.5.2645 build 20240116
  • Qnap/QuTS herollm-fuzzy
    Range: >=h5.1.5.2647 build 20240118
  • Qnap/QuTScloudllm-fuzzy
    Range: >=c5.1.5.2651
  • QNAP Systems Inc./QTSv5
    Range: 5.1.x
  • QNAP Systems Inc./QuTScloudv5
    Range: c5.x
  • QNAP Systems Inc./QuTS herov5
    Range: h5.1.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.