CVE-2026-24719
HighCVSS 7.2Exploitation Probability (EPSS)
Elevated risk58th percentile - higher than 58% of all known CVEs
Summary
A command injection vulnerability has been reported in QNAP QTS and QuTS hero operating systems. A remote attacker with an administrator account can exploit this flaw to execute arbitrary commands.
Risk Assessment
The risk for the organization includes full compromise of the QNAP device by an attacker with administrator privileges, potentially leading to data theft, malware installation, or further network attacks.
Recommendation
Immediately update QTS to version 5.2.9.3492 or later, and QuTS hero to version h5.2.9.3499 or later. Restrict administrative interface access to trusted networks only.
Original NVD description (English source)
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

