CVE-2026-22900
Published: 20 March 2026
Description
A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later
Mitigating Controls (NIST 800-53 r5)AI
Requires timely installation of vendor patches like QuNetSwitch 2.0.5.0906 to remediate the hard-coded credentials vulnerability and prevent unauthorized access.
Prohibits hard-coded and default authenticators by mandating their management, changing, and replacement to block exploitation for unauthorized access.
Enables review, monitoring, and disabling of accounts associated with hard-coded credentials to limit unauthorized remote access opportunities.
Security SummaryAI
CVE-2026-22900 is a use of hard-coded credentials vulnerability (CWE-798) affecting QuNetSwitch from QNAP. Published on 2026-03-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.
Remote, unauthenticated attackers can exploit the vulnerability over the network by leveraging the hard-coded credentials to gain unauthorized access to affected QuNetSwitch devices. This access enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing full control over the device.
QNAP's security advisory confirms the vulnerability has been fixed in QuNetSwitch version 2.0.5.0906 and later. Administrators should update to a patched version immediately to mitigate risks, with full details available at https://www.qnap.com/en/security-advisory/qsa-26-11.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded credentials enable use of default accounts for unauthorized remote access.