{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22902", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2026-01-13T07:49:08.784Z", "datePublished": "2026-03-20T16:21:07.923Z", "dateUpdated": "2026-03-25T14:05:39.936Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:25:00.669Z"}, "title": "QuNetSwitch", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuNetSwitch", "versions": [{"status": "affected", "version": "2.0.x", "lessThan": "2.0.5.0906", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.5.0906 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.<br><br>We have already fixed the vulnerability in the following version:<br>QuNetSwitch 2.0.5.0906 and later<br>"}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-11"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.7, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.5.0906 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "We have already fixed the vulnerability in the following version:<br>QuNetSwitch 2.0.5.0906 and later<br>"}]}], "credits": [{"lang": "en", "value": "\u7522\u54c1\u5b89\u5168\u6f0f\u6d1e\u7375\u6355\u8a08\u5283 - YingMuo", "type": "finder"}], "source": {"advisory": "QSA-26-11", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:05:34.007988Z", "id": "CVE-2026-22902", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:05:39.936Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22902", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2026-01-13T07:49:08.784Z", "datePublished": "2026-03-20T16:21:07.923Z", "dateUpdated": "2026-03-25T14:05:39.936Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:25:00.669Z"}, "title": "QuNetSwitch", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuNetSwitch", "versions": [{"status": "affected", "version": "2.0.x", "lessThan": "2.0.5.0906", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.5.0906 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.<br><br>We have already fixed the vulnerability in the following version:<br>QuNetSwitch 2.0.5.0906 and later<br>"}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-11"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.7, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.5.0906 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "We have already fixed the vulnerability in the following version:<br>QuNetSwitch 2.0.5.0906 and later<br>"}]}], "credits": [{"lang": "en", "value": "\u7522\u54c1\u5b89\u5168\u6f0f\u6d1e\u7375\u6355\u8a08\u5283 - YingMuo", "type": "finder"}], "source": {"advisory": "QSA-26-11", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:05:34.007988Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:05:37.238Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3420F6C-DB33-452A-B9B3-7673A9172172", "versionEndIncluding": "2.0.5.0906", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.5.0906 and later"}], "id": "CVE-2026-22902", "lastModified": "2026-03-25T20:50:13.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2026-03-20T17:16:44.783", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-26-11"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.0.x,2.0.5.0906)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "qunetswitch", "vendor": "qnap_systems"}], "analysis": {"en": {"generated_at": "2026-03-20T17:25:55.819764+00:00", "value": {"mitigation_remediation": ["Upgrade QuNetSwitch firmware to version 2.0.5.0906 or later.", "Enforce strong password policies and limit local administrator access to trusted personnel.", "Monitor and audit command execution for signs of suspicious activity as a temporary safeguard."], "summary": {"action": "Patch", "impact": "Local Command Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects QNAP Systems\u2019 QuNetSwitch device. Firmware versions prior to 2.0.5.0906 are vulnerable; versions 2.0.5.0906 and later contain the fix.", "description_and_impact": "A command injection flaw exists in QNAP Systems Inc.\u2019s QuNetSwitch firmware that permits a local attacker who has obtained an administrator account to run arbitrary operating\u2011system commands. This vulnerability maps to CWE\u201178, Security Feature Failure: Improper Control of Generation of Code or Commands.", "risk_and_exploitability": "The CVSS v3 base score is 5.7, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Because it requires local administrator privileges, the attack surface is limited to users who can log in to the device directly. Nonetheless, once access is achieved, an attacker can execute any command with the effective privileges of the admin account, potentially compromising the entire device\u2019s confidentiality, integrity, and availability."}}}}, "created": "2026-03-23T09:53:23.596295+00:00", "title": "Command Injection in QNAP QuNetSwitch Allows Local Administrator to Execute Arbitrary Commands", "updated": "2026-03-25T14:29:13.753664+00:00", "vendors": ["qnap_systems", "qnap_systems$PRODUCT$qunetswitch"]}