CVE-2026-22897
Published: 20 March 2026
Description
A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-22897 by requiring timely flaw remediation through patching to QuNetSwitch version 2.0.4.0415 or later.
Prevents command injection exploitation by validating remote inputs to block arbitrary command execution payloads.
Detects ongoing or successful command injection attacks by monitoring for indicators of unauthorized command execution on the system.
Security SummaryAI
CVE-2026-22897 is a command injection vulnerability (CWE-78) affecting QuNetSwitch, a component from QNAP. Published on 2026-03-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation. The flaw allows remote attackers to execute arbitrary commands on affected systems.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants attackers the ability to run arbitrary commands, potentially leading to full system compromise with high confidentiality, integrity, and availability impacts.
QNAP's security advisory (QSA-26-11) confirms the issue has been addressed in QuNetSwitch version 2.0.4.0415 and later, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing application (T1190) via command injection, directly facilitating arbitrary Unix shell command execution (T1059.004) on Linux-based QNAP systems.