Strix
26.1K

CVE-2023-23368

CRITICALCVSS 9.8/10EPSS 18.69%

Last modified

CVE-2023-23368 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later . EPSS estimates a 18.69% chance of exploitation in the next 30 days.

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
18.69%

96.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
QnapQts5.0.1
QnapQts5.0.1.2034Build 20220515
QnapQts5.0.1.2079Build 20220629
QnapQts5.0.1.2131Build 20220820
QnapQts5.0.1.2137Build 20220826
QnapQts5.0.1.2145Build 20220903
QnapQts5.0.1.2173Build 20221001
QnapQts5.0.1.2194Build 20221022
QnapQts5.0.1.2234Build 20221201
QnapQts5.0.1.2248Build 20221215
QnapQts5.0.1.2277Build 20230112
QnapQts5.0.1.2346Build 20230322
QnapQts4.5.4
QnapQts4.5.4.1715Build 20210630
QnapQts4.5.4.1723Build 20210708
QnapQts4.5.4.1741Build 20210726
QnapQts4.5.4.1787Build 20210910
QnapQts4.5.4.1800Build 20210923
QnapQts4.5.4.1892Build 20211223
QnapQts4.5.4.1931Build 20220128
QnapQts4.5.4.2012Build 20220419
QnapQts4.5.4.2117Build 20220802
QnapQts4.5.4.2280Build 20230112
QnapQuts Heroh5.0.1.2045Build 20220526
QnapQuts Heroh5.0.1.2192Build 20221020
QnapQuts Heroh5.0.1.2248Build 20221215
QnapQuts Heroh5.0.1.2269Build 20230104
QnapQuts Heroh5.0.1.2277Build 20230112
QnapQuts Heroh5.0.1.2348Build 20230324
QnapQuts Heroh4.5.4.1771Build 20210825
QnapQuts Heroh4.5.4.1800Build 20210923
QnapQuts Heroh4.5.4.1813Build 20211006
QnapQuts Heroh4.5.4.1848Build 20211109
QnapQuts Heroh4.5.4.1892Build 20211223
QnapQuts Heroh4.5.4.1951Build 20220218
QnapQuts Heroh4.5.4.1971Build 20220310
QnapQuts Heroh4.5.4.1991Build 20220330
QnapQuts Heroh4.5.4.2052Build 20220530
QnapQuts Heroh4.5.4.2138Build 20220824
QnapQuts Heroh4.5.4.2217Build 20221111
QnapQuts Heroh4.5.4.2272Build 20230105
QnapQutscloudc5.0.1.1949Build 20220218
QnapQutscloudc5.0.1.1998Build 20220408
QnapQutscloudc5.0.1.2044Build 20220524
QnapQutscloudc5.0.1.2148Build 20220905

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-23368?
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later
How severe is CVE-2023-23368?
CVE-2023-23368 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 18.69% probability of exploitation in the next 30 days.
How do I fix CVE-2023-23368?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-23368?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST