HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-22893Published Modified CNA qnap

CVE-2026-22893: QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
5.2.9.3410 build 20260214
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability affects QNAP QTS and QuTS hero operating system versions. The flaw is reachable over the network but requires an attacker to first hold an administrator account; once that condition is met, the attacker can inject and execute arbitrary operating system commands on the affected device. Successful exploitation gives the attacker full control over the device, including the ability to read, modify, or destroy data and disrupt services. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active pipelines, including custom-built images that layer on top of QNAP base layers.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each environment's compliance policy to route findings to the appropriate team inbox inside the customer organization.

Available
Patch

A patched-image rebuild targeting QTS 5.2.9.3410 build 20260214 and the corresponding QuTS hero fix versions is available on HarborGuard for affected environments. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service is exposed over the network, so an attacker must be able to reach it across the internet or an internal network segment.

  • AuthenticationRequired

    The attacker must hold an administrator account on the device; a low-privilege account is not sufficient to reach the vulnerable code path.

  • Victim interactionNot required

    No action from a legitimate user is needed; the attacker can trigger the vulnerability entirely on their own once authenticated.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special environmental factors required beyond obtaining admin credentials.

Blast Radius

  • The attacker executes arbitrary operating system commands on the QNAP device with the privileges of the injected process.
  • All data stored on the NAS is readable, including files, credentials, and configuration secrets.
  • Stored data and configuration can be modified or deleted, disrupting any services or backups hosted on the device.
  • The device itself can be rendered unavailable, taking down all hosted services and any attached storage volumes.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-22893 is active and matches against any image derived from affected QTS or QuTS hero versions, including internally built images. For environments running a vulnerable version, a patched rebuild targeting the fixed versions (QTS 5.2.9.3410 build 20260214 or later; QuTS hero h5.2.9.3410 build 20260214, h5.3.4.3500 build 20260520, or h6.0.0.3459 build 20260409 or later) is available. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version, runs a regression test run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox for manual review and promotion.

See how HarborGuard automates this

Fix available

5.2.9.3410 build 20260214h5.2.9.3410 build 20260214h5.3.4.3500 build 20260520h6.0.0.3459 build 20260409
Affected packages
  • QNAP Systems Inc. / QTS
    < 5.2.9.3410 build 20260214 (from 5.2.0)
  • QNAP Systems Inc. / QuTS hero
    < h5.2.9.3410 build 20260214 (from h5.2.0) · < h5.3.4.3500 build 20260520 (from h5.3.0) · < h6.0.0.3459 build 20260409 (from ?)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References