CVE-2020-2509

Name: CVE-2020-2509
Creator: NVD / NIST
Published: 2021-04-17T04:15:11.327+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively ExploitedEPSS 34.17%

Last modified Jun 17, 2026

CVE-2020-2509 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. CISA has confirmed active exploitation in the wild. EPSS estimates a 34.17% chance of exploitation in the next 30 days.

Description

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

34.17%

98.2th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by May 2, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Qnap	Qts	< 4.2.6
Qnap	Qts	>= 4.3.5, < 4.3.6
Qnap	Qts	>= 4.4.0, < 4.5.1
Qnap	Qts	4.2.6
Qnap	Qts	4.3.3.0174
Qnap	Qts	4.3.3.0868
Qnap	Qts	4.3.3.0998
Qnap	Qts	4.3.3.1051
Qnap	Qts	4.3.3.1098
Qnap	Qts	4.3.3.1161
Qnap	Qts	4.3.3.1252
Qnap	Qts	4.3.3.1315
Qnap	Qts	4.3.3.1386
Qnap	Qts	4.3.3.1432
Qnap	Qts	4.3.4.0358
Qnap	Qts	4.3.4.0370
Qnap	Qts	4.3.4.0372
Qnap	Qts	4.3.4.0374
Qnap	Qts	4.3.4.0387
Qnap	Qts	4.3.4.0411
Qnap	Qts	4.3.4.0416
Qnap	Qts	4.3.4.0427
Qnap	Qts	4.3.4.0434
Qnap	Qts	4.3.4.0435
Qnap	Qts	4.3.4.0451
Qnap	Qts	4.3.4.0483
Qnap	Qts	4.3.4.0486
Qnap	Qts	4.3.4.0506
Qnap	Qts	4.3.4.0516
Qnap	Qts	4.3.4.0526
Qnap	Qts	4.3.4.0551
Qnap	Qts	4.3.4.0557
Qnap	Qts	4.3.4.0561
Qnap	Qts	4.3.4.0569
Qnap	Qts	4.3.4.0593
Qnap	Qts	4.3.4.0597
Qnap	Qts	4.3.4.0604
Qnap	Qts	4.3.4.0899
Qnap	Qts	4.3.4.1029
Qnap	Qts	4.3.4.1082
Qnap	Qts	4.3.4.1190
Qnap	Qts	4.3.4.1282
Qnap	Qts	4.3.4.1368
Qnap	Qts	4.3.4.1417
Qnap	Qts	4.3.4.1463
Qnap	Qts	4.3.6
Qnap	Qts	4.3.6.0895
Qnap	Qts	4.3.6.0907
Qnap	Qts	4.3.6.0923
Qnap	Qts	4.3.6.0944

Showing 50 of 72 affected configurations. See NVD for the full list.

References

https://www.qnap.com/en/security-advisory/qsa-21-05Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-21-05Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509US Government Resource

Timeline

Published: Apr 17, 2021
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2020-2509?

How severe is CVE-2020-2509?

CVE-2020-2509 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 34.17% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2020-2509?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-2509?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST