CVE-2026-24719

N/A

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to...

Affects 0 products across 1 vendor.

CVSS v48.6
EPSS1.0%
Percentile58th
PatchUnknown
CWE Weakness Definitions
CWE-78: OS Command Injection

Attacker injects OS commands through application inputs passed to system() or equivalent calls, leading to arbitrary command execution.

◆ SAGE Intelligence — CITED Relevance Research Team

CVE-2026-24719 is a command injection vulnerability affecting multiple QNAP operating system versions (QTS and QuTS hero), commonly used in NAS devices deployed as file servers, backup targets, and data historians in OT/ICS environments. If a remote attacker first obtains or compromises an administrator account, they can execute arbitrary OS-level commands on the device. In OT environments, QNAP NAS devices are frequently used for storing historian data, PLC backups, and HMI configurations, making exploitation a high-impact lateral movement or data destruction risk.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-24719?
CVE-2026-24719 is a command injection vulnerability affecting multiple QNAP operating system versions (QTS and QuTS hero), commonly used in NAS devices deployed as file servers, backup targets, and data historians in OT/ICS environments. If a remote attacker first obtains or compromises an administrator account, they can execute arbitrary OS-level commands on the device. In OT environments, QNAP NAS devices are frequently used for storing historian data, PLC backups, and HMI configurations, maki
Is CVE-2026-24719 actively exploited?
No confirmed active exploitation of CVE-2026-24719 as of 2026-06-24.
How do I remediate CVE-2026-24719?
Update to QTS 5.2.9.3492 build 20260507 / QuTS hero h5.2.9.3499 build 20260514 or later. Patches sanitize administrator-supplied input before passing to OS command execution functions in the QNAP web management interface, eliminating the command injection vector on both QTS and QuTS hero operating system branches. Advisory: https://www.qnap.com/en/security-advisory/qsa-26-24719
What systems are affected by CVE-2026-24719?
CVE-2026-24719 affects: Qnap.
Vulnerability Details
CVE IDCVE-2026-24719
Published2026-06-10
Last Modified2026-06-10
ICS Relevance70%
Weakness (CWE)
SourceNVD
Official Description

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Qnap —
Remediation

Fixed Version: QTS 5.2.9.3492 build 20260507 / QuTS hero h5.2.9.3499 build 20260514

Patches sanitize administrator-supplied input before passing to OS command execution functions in the QNAP web management interface, eliminating the command injection vector on both QTS and QuTS hero operating system branches.

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: July 2026 | Threat Age: 32 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine MEDIUM CONFIDENCE

Deploy IDS/IPS rules on the OT DMZ perimeter firewall and any network segments with QNAP NAS devices. Block inbound HTTP/HTTPS access to QNAP management ports (8080, 8081, 443, 80) from all untrusted network zones. Whitelist only the dedicated management jump host IP(s) for administrative access. Log and alert on any POST requests containing shell metacharacters or common command injection payloads targeting QNAP CGI endpoints.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Qnap
CVE-2017-7876 10.0 This command injection vulnerability in QTS allows attackers to run arbitrary... CVE-2024-32766 10.0 An OS command injection vulnerability has been reported to affect several QNA... CVE-2024-32764 9.9 A missing authentication for critical function vulnerability has been reporte... CVE-2017-17033 9.8 A buffer overflow vulnerability in password function in QNAP QTS version 4.2.... CVE-2017-17028 9.8 A buffer overflow vulnerability in external device function in QNAP QTS versi...
View all Qnap CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →