QTS, QuTS hero, QuTScloud
Description
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QTS 4.3.6.2665 build 20240131 and later QTS 4.3.4.2675 build 20240131 and later QTS 4.3.3.2644 build 20240131 and later QTS 4.2.6 build 20240131 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An OS command injection in QNAP QTS, QuTS hero, and QuTScloud allows unauthenticated remote attackers to execute arbitrary commands on exposed NAS devices.
Vulnerability
CVE-2023-50358 is an OS command injection vulnerability in QNAP QTS, QuTS hero, and QuTScloud operating systems. The flaw resides in the web-based management interface and allows an unauthenticated attacker to inject operating system commands via specially crafted network requests. Affected versions include QTS 5.x and 4.x series before the fully fixed builds listed in QSA-23-57 [2], QuTS hero h5.x and h4.x before the respective fixed builds, and QuTScloud c5.x before version c5.1.5.2651. The vulnerability was discovered by Palo Alto Networks Unit 42 researchers through telemetry monitoring of zero-day exploitation attempts [1].
Exploitation
According to Unit 42's analysis [1] and the BSI advisory [3], an attacker can exploit this vulnerability without requiring authentication. The attack vector is network-based, and the attacker only needs to send a maliciously crafted HTTP request to the vulnerable QNAP device's web interface. Proof-of-concept code has been publicly released, which lowers the barrier for exploitation [3]. The exploitation does not require user interaction or special privileges on the target system.
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands on the affected QNAP NAS device. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the device as a pivot point in further attacks. The CVSS base score is 5.8 (medium severity), but the widespread exposure of QNAP devices on the internet makes the practical impact potentially severe [1][3].
Mitigation
QNAP has released fixed versions in security advisory QSA-23-57 [2]. Fully fixed versions include QTS 5.1.5.2645 build 20240116 and later, QTS 4.5.4.2627 build 20231225 and later, QTS 4.3.6.2665 build 20240131 and later, QTS 4.3.4.2675 build 20240131 and later, QTS 4.3.3.2644 build 20240131 and later, QTS 4.2.6 build 20240131 and later, QuTS hero h5.1.5.2647 build 20240118 and later, QuTS hero h4.5.4.2626 build 20231225 and later, and QuTScloud c5.1.5.2651 and later. Partial mitigation is available via intermediate builds, but full deployment of the latest firmware is recommended [2]. Users should also ensure QNAP devices are not directly exposed to the internet unless necessary and apply network-level protections such as firewalls [1][3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- QNAP Systems Inc./QTSv5Range: 5.x
- QNAP Systems Inc./QuTScloudv5Range: c5.x
- QNAP Systems Inc./QuTS herov5Range: h5.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.