CVE-2024-14026

moderate-risk
Published 2026-03-11

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (20)

Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts
Qts

Affected Vendors

Qnap

References (1)

Vendor Advisory https://www.qnap.com/en/security-advisory/qsa-24-54
49
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 0/34 · Minimal
Exposure 25/34 · High