CVE-2023-23355

Name: CVE-2023-23355
Creator: NVD / NIST
Published: 2023-03-29T05:15:07.563+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.2/10EPSS 1.23%

Last modified Jun 17, 2026

CVE-2023-23355 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors. QES is not affected. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2348 build 20230324 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later . EPSS estimates a 1.23% chance of exploitation in the next 30 days.

Description

An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors. QES is not affected. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2348 build 20230324 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.23%

65.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Qnap	Qvr	All versions
Qnap	Qts	< 5.0.1.2346
Qnap	Quts Hero	< h5.0.1.2348
Qnap	Qutscloud	All versions
Qnap	Qvp-41b Firmware	All versions
Qnap	Qvp-63b Firmware	All versions
Qnap	Qvp-85b Firmware	All versions
Qnap	Qvp-21a Firmware	All versions
Qnap	Qvp-41a Firmware	All versions
Qnap	Qvp-63a Firmware	All versions
Qnap	Qvp-85a Firmware	All versions

References

https://www.qnap.com/en/security-advisory/qsa-23-10Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-23-10Vendor Advisory

Timeline

Published: Mar 29, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-23355?

How severe is CVE-2023-23355?

CVE-2023-23355 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 1.23% probability of exploitation in the next 30 days.

How do I fix CVE-2023-23355?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-23355?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST