CVE-2020-2509

CRITICALCISA KEV

9.8

Descripcion

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado4/17/2021

Ultima modificacion10/27/2025

Fuentekev

Avistamientos honeypot0

CISA KEV

VendedorQNAP

ProductoQNAP Network-Attached Storage (NAS)

Nombre vulnerabilidadQNAP Network-Attached Storage (NAS) Command Injection Vulnerability

Fecha inclusion KEV2022-04-11

Fecha limite remediacion2022-05-02

Uso en ransomwareUnknown

Productos afectados

qnap:qtsqnap:quts_hero

Debilidades (CWE)

CWE-77CWE-78CWE-77

Referencias

https://www.qnap.com/en/security-advisory/qsa-21-05(security@qnapsecurity.com.tw)

https://www.qnap.com/en/security-advisory/qsa-21-05(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.