Security News > 2022 > May > QNAP fixes critical QVR remote command execution vulnerability
QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company's video surveillance solution hosted on a NAS device.
QNAP's advisory explains that the "Vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands."
As we have seen in the past, critical vulnerabilities in QNAP systems are leveraged almost immediately in cyberattacks when an exploit becomes publicly available.
Apart from the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings between medium and high.
CVE-2022-27588: Critical-severity RCE in QNAP QVR. CVE-2021-38693: Medium-severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
CVE-2021-44051: High-severity command injection flaw that allows arbitrary remote command execution in QTS, QuTS hero, and QuTScloud.
News URL
Related news
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-27588 | Command Injection vulnerability in Qnap QVR 5.1.5 We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later | 9.8 |
| 2022-05-05 | CVE-2021-44051 | Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. | 8.8 |
| 2022-05-05 | CVE-2021-38693 | Path Traversal vulnerability in Qnap QTS and Qutscloud A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. | 5.3 |