VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 2, 2024· Updated Jun 16, 2025

QTS, QuTS hero, QuTScloud

CVE-2023-47566

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated administrators can achieve OS command injection in QNAP QTS, QuTS hero, and QuTScloud, allowing arbitrary command execution via network.

Vulnerability

An OS command injection vulnerability exists in QNAP QTS, QuTS hero, and QuTScloud operating systems. The flaw allows authenticated administrators to execute arbitrary commands via network. Affected versions include QTS 5.1.x, QuTS hero h5.1.x, and QuTScloud c5.x. The vulnerability is fixed in QTS 5.1.5.2645 build 20240116 and later, QuTS hero h5.1.5.2647 build 20240118 and later, and QuTScloud c5.1.5.2651 and later [1].

Exploitation

An attacker must be an authenticated administrator with network access to the QNAP device. The vulnerability is exploited by sending a crafted request that injects OS commands into a vulnerable parameter. No user interaction beyond the attacker's own administrative actions is required. The exact injection point or required configuration is not disclosed in the available references [1].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary OS commands on the device. This can lead to full compromise of the NAS system, including data exfiltration, modification, or denial of service. The attacker gains root-level command execution capabilities [1].

Mitigation

QNAP has released fixed versions: QTS 5.1.5.2645 build 20240116 and later, QuTS hero h5.1.5.2647 build 20240118 and later, and QuTScloud c5.1.5.2651 and later. Users should update their device firmware via Control Panel > System > Firmware Update or by downloading from the QNAP Download Center. No workaround is provided if the patch cannot be applied immediately [1].

References
  1. Vulnerability in QTS, QuTS hero, and QuTScloud - Security Advisory

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Qnap/Qtsllm-fuzzy
    Range: <5.1.5.2645
  • Qnap/QuTS herollm-fuzzy
    Range: <h5.1.5.2647
  • Qnap/QuTScloudllm-fuzzy
    Range: <c5.1.5.2651
  • QNAP Systems Inc./QTSv5
    Range: 5.1.x
  • QNAP Systems Inc./QuTScloudv5
    Range: c5.x.x
  • QNAP Systems Inc./QuTS herov5
    Range: h5.1.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.