CVE-2026-24719: CWE-78 in QNAP Systems Inc. QTS
CVE-2026-24719 is a command injection vulnerability in QNAP Systems Inc. QTS operating system. It allows a remote attacker with administrator privileges to execute arbitrary commands on affected systems. The vulnerability affects QTS versions prior to 5. 2. 9. 3492 build 20260507 and QuTS hero versions prior to 5. 2. 9. 3499 build 20260514.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-24719) is a command injection flaw (CWE-78) in QNAP QTS operating system. An attacker who already has administrator access can exploit this issue to execute arbitrary commands remotely. The vendor has fixed the vulnerability in QTS 5.2.9.3492 build 20260507 and later, and QuTS hero 5.2.9.3499 build 20260514 and later. No known exploits in the wild have been reported as of the publication date.
Potential Impact
Successful exploitation allows an attacker with administrator privileges to execute arbitrary commands on the affected QNAP device, potentially leading to full system compromise. This elevates the risk of unauthorized control and manipulation of the device and its data.
Mitigation Recommendations
Upgrade affected QTS systems to version 5.2.9.3492 build 20260507 or later, and QuTS hero to version 5.2.9.3499 build 20260514 or later, where the vulnerability has been fixed. No other mitigation or temporary workaround is indicated.
CVE-2026-24719: CWE-78 in QNAP Systems Inc. QTS
Description
CVE-2026-24719 is a command injection vulnerability in QNAP Systems Inc. QTS operating system. It allows a remote attacker with administrator privileges to execute arbitrary commands on affected systems. The vulnerability affects QTS versions prior to 5. 2. 9. 3492 build 20260507 and QuTS hero versions prior to 5. 2. 9. 3499 build 20260514.
CVSS v4.0
Score 8.6high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-24719) is a command injection flaw (CWE-78) in QNAP QTS operating system. An attacker who already has administrator access can exploit this issue to execute arbitrary commands remotely. The vendor has fixed the vulnerability in QTS 5.2.9.3492 build 20260507 and later, and QuTS hero 5.2.9.3499 build 20260514 and later. No known exploits in the wild have been reported as of the publication date.
Potential Impact
Successful exploitation allows an attacker with administrator privileges to execute arbitrary commands on the affected QNAP device, potentially leading to full system compromise. This elevates the risk of unauthorized control and manipulation of the device and its data.
Mitigation Recommendations
Upgrade affected QTS systems to version 5.2.9.3492 build 20260507 or later, and QuTS hero to version 5.2.9.3499 build 20260514 or later, where the vulnerability has been fixed. No other mitigation or temporary workaround is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- qnap
- Date Reserved
- 2026-01-26T06:41:35.897Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a28dcc68dd33fbd85dbad6b
Added to database: 6/10/2026, 3:40:54 AM
Last enriched: 6/10/2026, 3:55:49 AM
Last updated: 6/10/2026, 5:18:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.