CVE-2026-22901

Critical

Published: 20 March 2026

Published

20 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906…

and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws, directly addressing this command injection vulnerability by applying the vendor fix in QuNetSwitch 2.0.5.0906.

SI-10 Information Input Validation good match

prevent

SI-10 mandates input validation to block malicious command injection payloads from being processed by the system.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege on user accounts, limiting the scope and impact of arbitrary commands executed via the vulnerability.

Security SummaryAI

CVE-2026-22901 is a command injection vulnerability (CWE-78) affecting QuNetSwitch. Published on 2026-03-20T17:16:44.627, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.

A remote attacker who gains a user account can exploit the vulnerability to execute arbitrary commands on the affected system.

QNAP has fixed the vulnerability in QuNetSwitch version 2.0.5.0906 and later. Additional details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-26-11.

Details

CWE(s): CWE-78

Affected Products

qnap

qunetswitch

2.0.1.13077 — 2.0.5.0906

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated command injection (CVSS PR:N) enables exploitation of public-facing applications (T1190) and facilitates arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-26-11
Vendor Advisory · security@qnapsecurity.com.tw