Security News > 2022 > May > QNAP fixes critical QVR remote command execution vulnerability
QNAP has released several security advisories today, one of them for a critical security issue that allows remote execution of arbitrary commands on vulnerable QVR systems, the company's video surveillance solution hosted on a NAS device.
QNAP's advisory explains that the "Vulnerability has been reported to affect QNAP VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands."
As we have seen in the past, critical vulnerabilities in QNAP systems are leveraged almost immediately in cyberattacks when an exploit becomes publicly available.
Apart from the critical issue in QVR, QNAP also addressed eight vulnerabilities in other products, with severity ratings between medium and high.
CVE-2022-27588: Critical-severity RCE in QNAP QVR. CVE-2021-38693: Medium-severity path traversal vulnerability in thttpd, affecting QTS, QuTS hero, and QuTScloud.
CVE-2021-44051: High-severity command injection flaw that allows arbitrary remote command execution in QTS, QuTS hero, and QuTScloud.
News URL
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise (source)
- Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-27588 | Command Injection vulnerability in Qnap QVR 5.1.5 We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later | 9.8 |
| 2022-05-05 | CVE-2021-44051 | Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. | 8.8 |
| 2022-05-05 | CVE-2021-38693 | Path Traversal vulnerability in Qnap QTS and Qutscloud A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. | 5.3 |